Skip to main content

users/{userid}/allowed (POST)


Check one or more resources if given operation is allowed.

  • REST Method: POST
  • Method Access: public

Uri Parameters

Name Type Description
userid string either an integer user ID, "current", or "=" followed by a double uri-encoded user name

Query Parameters

Name Type Description
mask long? Permission bit mask required for the pages
verbose bool? Return verbose information on permitted pages (default: true
authenticate bool? Force authentication for request (default: false)
operations string? Comma separated list of operations to verify
invert bool? Return filtered instead of allowed pages. Sets verbose to false (default: false

Return Codes

Name Value Description
OK 200 The request completed successfully
Bad Request 400 Invalid input parameter or request body
Not Found 404 Requested user could not be found

Message Format


    <page id="{int}"/>


    <page id="{int}" href="{uri}">

Implementation Notes

Use GET:site/operations to retrieve a list of all operations currently defined on the site.

C# Sample: Check Anonymous User Login and Read Access

 The following code example checks whether the Anonymous user has LOGIN and READ access to pages with ID 29 and 31

Sample Code

Plug p = Plug.New("http://deki-hayes/@api/deki");
p.At("users", "authenticate").WithCredentials("admin", "password").Get();
XDoc pagesDoc = new XDoc("pages")
        .Attr("id", 29)
        .Attr("id", 31)
p.At("users", "=Anonymous", "allowed").With("operations", "LOGIN,READ").Post(pagesDoc);

Sample Response from executing Code 

<?xml version="1.0"?>
  <page id="29" href="http://deki-hayes/@api/deki/pages/29">
    <title>DekiWiki (Hayes)</title>

Curl Sample: Check User Access

The following curl command returns a sublist of pages user "foo" is allowed to access from a list of pages in "pages.xml".

Sample Code

curl -u username:password -H "Content-Type: application/xml" -d @pages.xml -i http://mindtouch.address/@api/deki/users/=foo/allowed

Implementation notes 

Operations and Mask

Sending the above command without the operations or mask parameters does not yield a response of interest. This is because the command will match the user with every page permission, and thus will simply return the list of pages sent in the request. To receive a useful response, such as what pages the specific user is allowed to read, update, set permissions, and so on, an "operations" or "mask" parameter is appended to the end of the path.
For example, the following command will check if user "foo" has READ, UPDATE, and LOGIN access for the list of pages in "pages.xml":
curl -u username:password -H "Content-Type: application/xml" -d @pages.xml -i http://mindtouch.address/@api/deki/users/=foo/allowed?operations="READ,UPDATE,LOGIN"


The response will contain a list where user foo has one or more of those permissions. The "mask" parameter is the same as operations, except it substitutes numeric values for permissions. The following command is interchangeable to the one above:
curl -u username:password -H "Content-Type: application/xml" -d @pages.xml -i http://mindtouch.address/@api/deki/users/=foo/allowed?mask="21"


Where LOGIN = 1, READ = 4, and UPDATE = 16 (16 + 4 + 1 = 21).

Permission Enumeration




curl flags

Basic HTTP authentication. Sends a username and password to server so it can verify whether a user is of privilege to perform specific operation.
-d @file
Specifies a POST request and file to send.
Replaces or appends an HTTP header. The "Content-Type" header specifies the MIME type of the value attached to the property. In this case, use application/xml since the document being passed is of type XML.
Includes the HTTP response header in the output. Useful for debugging.


The user "spock" has been given a "Viewer" role, giving him permissions LOGIN, BROWSE, READ, SUBSCRIBE. We want to see what pages in pages.xml Spock has permission to READ.


Content-Type: text/plain

	<page id="565"/>
	<page id="562"/>
	<page id="563"/>
	<page id="564"/> <!-- This page has been set to Private -->

Sample Code

curl -u admin:password -H "Content-Type: application/xml" -d @pages.xml -i"READ"

HTTP Response Headers

HTTP/1.1 200 OK
Date: Fri, 15 Jan 2010 22:11:23 GMT
Server: Dream-HTTPAPI/
X-Deki-Site: id="default"
Content-Type: application/xml; charset=utf-8
Content-Length: 661
Via: 1.1 dekiwiki

HTTP Response Body

Content-Type: application/xml

<?xml version="1.0"?>
  <page id="565" href="">
  <page id="562" href="">
  <page id="563" href="">

As you can see, page with ID = 564 is not included since it is marked private. Thus it can be gathered that user "spock" does not have privilege to READ said page.

  • Was this article helpful?