tdugard Posted June 22, 2020 Report Share Posted June 22, 2020 Hello everyone, I've recently begin to connect my studio tool to ftrack via the ftrack python API, but something is bothering me. I've generate an API key for the pipeline tool and i'm using it with a user account Here is a part of my code import ftrack_api import os os.environ['FTRACK_SERVER'] = 'https://myserver.ftrackapp.com' # the generic API key os.environ['FTRACK_API_KEY'] = 'my_api_key' # the user name session = ftrack_api.Session(api_user='the_user') def get_project_id_by_name(project_name): project_id = session.query('select id from Project where name is "{0}"'.format(project_name)).first() return project_id def get_shots_by_project(project_id=None): shots = session.query('Shot where project.id is "{0}" order by name asc'.format(project_id)) return shots project_id = get_project_id_by_name("project_name") shots = get_shots_by_project(project_id) for shot in shots: print(shot['name']) The problem i'm facing is that everything returned by the querie is always the same for all users because of the API_key (all project, all task). Is there a way to restrict the result the the user scope (like the user can see in the we interface, only project he can see). It may be because i'm not using user's API key, i really don't know how to manage to work with it. Because i haven't found a way to retreive this user's key with a user/pass function. If you have a clue ? Do i really have to filter everything by the user (it will be my next step if i can't find another way) ? Thanks Link to comment Share on other sites More sharing options...
Lorenzo Angeli Posted June 22, 2020 Report Share Posted June 22, 2020 Hi @tdugard api are not supposed to return filtered results, unless these limits are bound to your user permissions level. What you should do is to filter out the result for the user you are interested in during the query, something along these lines should work. import ftrack_api import os project_name = 'myproject' # login data is passed to the session through environments session = ftrack_api.Session() ftrack_user = session.query('User where username is {}'.format(session._api_user)).first() tasks = session.query('Task where project.name is "{0}" and assignments.resource_id is "{1}" order by name asc'.format(project_name, ftrack_user['id'])) for task in tasks: print t Link to comment Share on other sites More sharing options...
tdugard Posted June 22, 2020 Author Report Share Posted June 22, 2020 Thanks for the quick reply, but the problem i see here is that a user with some coding skill can easily create a function using environment variables that can show the entire project list and can query everything ? Even if in webview he can't see all the projects.. The better solution is to use the user auth_key to connect to the session but i have no clue how to request it via user/password because actually i'm using a global API_key that i have created in Security > Api Keys Like you said i need the result bounded to the user permissions. How can i acheive that ? Link to comment Share on other sites More sharing options...
Lorenzo Angeli Posted June 22, 2020 Report Share Posted June 22, 2020 Hi @tdugard, users query will respect the roles assigned, so they will have different result depending on what they have been set to, especially in regard of the private projects. If you want to ensure these are maintained I'd suggest setting up different global API keys for different behaviours. hope it helps. L. Link to comment Share on other sites More sharing options...
tdugard Posted June 22, 2020 Author Report Share Posted June 22, 2020 That's the problem, i've tested my code with 2 differents users : me : I can see every project user2 : who can see only one project in his web browser And the result of the query Project where status is active is the same for both user. That's why i'm asking for help to know where is the problem. Is it because i use the same global api_key i've created ? Do i need to use user's api key ? if its the only way how can i get this key by code ? Link to comment Share on other sites More sharing options...
tdugard Posted June 25, 2020 Author Report Share Posted June 25, 2020 Hello, i've tried again but still stuck. If someone can help me with this problem My previous message explains everything. I can't find in the help file the way to use the user api key, so in the session creation i use a global one that I've created. But when i use it the queries aren't bounded to the user's permission Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2020 Report Share Posted June 25, 2020 Hi Tony, What's your use case exactly? As you've found, the global API keys are not limited by the role(s) assigned to the user's whose username you use to instantiate your session. Link to comment Share on other sites More sharing options...
tdugard Posted June 25, 2020 Author Report Share Posted June 25, 2020 I want the user to query the ftrack database using my python tool (listing projects, pick a shot, task, etc...) but i need this user to be bounded to his permissions. The global API keys aren't limited to the user's role so i need to use the user's key but i don't know how to get it to set the environment variable. The best way in my opinion is to ask the user for his ftrack login/pass to request his API key. But maybe i'm wrong... Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2020 Report Share Posted June 25, 2020 How's the user running this tool? Is there one persistent process running in a central location or is it more like a short-lived command invoked on the command line? Are you using ftrack Connect? Just the web UI? Depending on your use-case, either running your tool as a plugin in Connect, pulling the API key from the config file written by Connect, or using the method demonstrated by Connect to use an authenticated browser session to generate a new API key all sound like good options. If you're exposing this tool as a web page or widget itself, you could embed that in a dashboard and pull API credentials there too. Also, and I don't necessarily suggest this, a global API key can have the permissions to manage User's API keys, so you could generate a new one for each of your users, store them, then create sessions as needed. Be careful not to revoke their existing keys as that will log them out of Connect. Link to comment Share on other sites More sharing options...
tdugard Posted June 25, 2020 Author Report Share Posted June 25, 2020 The user is just running the tool with a custom launcher written in python (so it's like running a command line) . I have a program called explorer which query ftrack to get all the projects/shot/task information for the user. Once he have choose a task the explorer launch the correct software with the correct context. I don't use ftrack connect. I have my own database for our projects, the goal is to work with the local DB and replicate the data in the ftrack one to use the Web UI to manage projects easily Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2020 Report Share Posted June 25, 2020 Cool! Take a look at this if you don't want to hand out that highly-provisioned API key to everyone https://bitbucket.org/ftrack/ftrack-connect/src/57ece813d21bff72621c1a6a58feb958cd0557cd/source/ftrack_connect/ui/login_tools.py?at=master#login_tools.py-12:13,75:76,84,87,92,95,100,103 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now