I’d like to increase the security of my website in as many ways possible, one such way being limiting the permission scope of backend functions.
One aspect of the article that remains unclear to me, which I would appreciate clarification around, is the following:
If I call a function residing in one backend module (say module A) from another different backend module (B), and the permission on A is restricted to admin, does that allow the function to be successfully executed when called in module B? Or to do this, would I need to add options to the function call?
What does the ‘admin’ permission actually mean?
Thanks in advance!
Another question on this topic:
Today access may be granted to one of 3 existing options / groups (Anyone / Site member / Admin).
Are there any plans at WIX to extend the selection to custom groups?
This will allow to create new group with specific members (existing already today) and to allow only the users belonging to that group to run the specified backed API.
I know this is an older post, but it still seems very relevant. I haven’t seen an extra function call to execute a function on an admin level in the backend, but it would be interesting.
I have found that calling one backend function from another backend function doesn’t change your permission level. However the events.js functions seem to be on an admin level, even if the user is not an admin.