access control on metadata

[btsimonh]

One challenge we have is restricting user access to the metadata......
I'm toying with the idea of adding an entry to each metadata defn containing a set of required capabilities (maybe an entry for read, entry for write), and a check with 'current_user_can' against these for data read and data write.
Any thoughts/plans on this?

[rilwis]

Yeah, it's a good idea. I'm not sure if we can just use current_user_can. Probably authentication?

[btsimonh]

If authentication is in place, then we are already authenticated here, and current user is set. (I've used both Oauth1 and a home-brew JWT in this project).
If current user is unset, then the current user is zero; for people who do not allow un-authenticated access to rest, it would not get to these functions unless the user is valid.
What I'm unsure of is what current_user_can([]) would return if there is no current user, and also what it will DO - I think it may try to check authorisation every time; not very efficient.

[rilwis]

If so, I think current_user_can is enough. It checks if no user is set and will return false for any capability.