No API access when user permission to panel is set to false

I’m trying to build a website with Kirby CMS and a decoupled front-end, e.g. static generated site with Eleventy.

I’ve setup a user role called “visitor” with the permissions as described in the documentation, by deactivating panel access.

Yet, this doesn’t seem to work the way I expect it as described in the documentation. For example, trying to request a page “http://localhost:3002/api/pages/home” via basic authentication returns an error:

{
  "status": "error",
  "message": "You are not allowed to access the panel",
  "code": 403,
  "key": "error.access.panel",
  "details": []
}

Full role configuration:

title: Visitor
    permissions:
      access:
        panel: false
        site: true
      pages:
        *: false
        read: true

But when I set the permission for the panel to true, the request works. This either seems like a bug to me, or the documentation is confusing, at least I can’t wrap my head around accessing the content via the API with the panel set to false.

Yes, looks like you have to allow Panel access and then set everything else to false, compare this setup of the better-rest plugin: https://github.com/robinscholz/better-rest/blob/master/blueprints/users/betterrest.yml

Thanks for confirmation, Sonja. I then have the solution and can call this solved.

Don’t you then think the documentation might be misleading here, quoting:

You can also have multiple frontend user roles without access to the Panel but with different access rights to the PHP APIs. Our REST API follows the same rules.

Seems to me that isn’t the case and that panel permissions need to be active to achieve what is written in this whole section of the documentation.

1 Like