Permissions
User permissions
Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in determining the roles of team members.
Examples of groups:
- Translators -
MANAGE_TRANSLATIONSpermission. - Customer support -
MANAGE_ORDERSandMANAGE_USERSpermissions.
Creating and removing groups
To create a new group, use the permissionGroupCreate mutation.
Request:
mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]
addUsers: []
name: "Sale managers"
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
}
}
}
A successful response:
{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6NDM=",
"name": "Sale managers",
"permissions": [
{
"name": "Manage sales and vouchers."
},
{
"name": "Manage gift cards."
}
]
}
}
}
}
To remove a group, use the permissionGroupDelete mutation:
mutation {
permissionGroupDelete(
id: "R3JvdXA6NDM="
) {
errors {
message
}
}
Modifying a group and managing its members
The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both lists will result in an error.
Example request:
mutation {
permissionGroupUpdate(
id: "R3JvdXA6NDM="
input: {
name: "Sale managers"
addPermissions: []
removePermissions: []
addUsers: ["VXNlcjozMg=="]
removeUsers: []
}
) {
errors {
message
}
}
}
App permissions
App permissions are defined on a per-app basis. Access can be assigned during the app installation and modified later using the appUpdate mutation.
JWT token and permissions
JWT tokens have a list of assigned permissions. By decoding payload using RS256 algorithm you will get:
{
"iat": 1624013260,
"iss": "example.com",
"token": "AixxXXXxzF",
"email": "john@example.com",
"type": "access",
"user_id": "VXNlcjozMg==",
"is_staff": true,
"exp": 1624049260,
"oauth_access_key": "",
"permissions": [
"MANAGE_TRANSLATIONS",
"MANAGE_PRODUCTS",
"MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
]
}
To check the token online and learn more about JWT visit https://jwt.io.
Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.
Available permissions
Available permissions are kept in the PermissionEnum.
| Name | Description |
|---|---|
| HANDLE_PAYMENTS | Handle payments |
| HANDLE_CHECKOUTS | Handle checkouts |
| MANAGE_APPS | Manage apps |
| MANAGE_CHECKOUTS | Manage checkout |
| MANAGE_DISCOUNTS | Manage discounts |
| MANAGE_GIFT_CARD | Manage gift cards |
| MANAGE_MENUS | Manage the structure of menus |
| MANAGE_ORDERS | Access to orders data |
| MANAGE_PAGES | Manage pages |
| MANAGE_PLUGINS | Manage plugins |
| MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES | Manage product types and attributes |
| MANAGE_PRODUCTS | Manage products |
| MANAGE_SETTINGS | Manage shop settings |
| MANAGE_SHIPPING | Manage shipping |
| MANAGE_STAFF | Access to staff users data |
| MANAGE_TRANSLATIONS | Manage translations |
| MANAGE_USERS | Access to customers data |