Warning
You are viewing the technical documentation for Sharetribe. If you are looking for our no-code documentation, see our new help center.

Last updated

User access control

This article explains what types of user access control are available in a Sharetribe marketplace

Table of Contents

By default, all users in a Sharetribe marketplace have the same permissions to join, post listings, and start transactions. However, you can modify some of these permissions in Console, under the "Access control" tab.

Manually grant permission to publish listings

You might want to limit listing publishing rights to certain users only. For example, if you have user types "Buyer" and "Seller", you might want to grant listing publishing rights to sellers only. Or you might be monetizing your marketplace with subscriptions, and therefore you only want to grant publishing rights to users who have subscribed.

On the marketplace level, you can toggle the selection in the Access control tab.

Publish listings permission checkbox

Once this checkbox is selected, you can see the permission status of each user in the Console's Manage > Users view. A checkmark indicates permission to post, a cross indicates that the user does not have permissions to post listings.

User permissions in Manage view

You can grant or revoke publishing rights for an individual user in their user details. Click the "Edit" link next to the "Permissions" heading.

Edit a single user's permissions

Now, you can check or uncheck the permissions checkbox for this user.

User permissions checkbox

Permissions in the currentUser resource

Permissions show up in the currentUser resource in two ways:

  • currentUser has an attribute permissions, which contains the user-level permission setting

currentUser.attributes.permissions

  • currentUser also has a related resource effectivePermissionSet, which contains the user's permissions based on the user level and marketplace level settings. You will need to explicitly include this related resource in your currentUser.show() API call to fetch it from the API.

currentUser.relationships.effectivePermissionsSet

This is an important distinction, because the currentUser.attributes.permissions value might be different from the effectivePermissionSet value.

For this reason, you should always use the effectivePermissionSet value to determine the user's access in custom code, because it takes into account both user-level and marketplace-level permissions.

Consider this example:

  • A marketplace has enforced manual permission to publish listings
  • User A has had their publishing rights revoked. Both their attributes.permission value and their effectivePermissionSet value for postListings are "permission/deny".
  • Marketplace operator has a campaign where they want to grant all users posting rights for 24 hours, and they deselect the checkbox for requiring manual permission to publish listings.

Now, the attributes.permission value for postListings is still "permission/deny", because it persists on the user's profile.

currentUser.attributes.permissions

The effectivePermissionSet value for postListings, however, is "permission/allow", because now the marketplace level restriction has been lifted. The marketplace level setting overrides the user level setting.

currentUser.relationships.effectivePermissionsSet with marketplace level permission

Can't find what you're looking for?

Reach out to our support team by email, or consult the Sharetribe Developer Community at Sharetribe Developers Slack Channel. You can also contact our support team through the chat widget in Flex Console.