For my organization I created an Application in retool, which among other things makes a "REST API" call to pdf.co, and specifies an API Key in the header
All good, as long as I use it as my "owner-of-all-resources-and-app" user.
Then I have another user, say "Anthony", which has "Use" permission on this specific App. No permissions on other "Resources" since this is just a REST api, there shouldn't be any Resource associated with it (right?).
Well for Anthony the app doesn't work, at the step where the REST API Call is made, it gets an error.
The only way I found to make it work is to put Anthony in the group "editor" which gives them edit permission and probably something I'm not aware of, that makes this work.
What am I doing wrong? Should I create a resource instead, and assign it to them?
its unclear to me what's the "right" way to add HTTP api calls inside a retool app...
What's the difference between adding them as "REST API" vs "create new REST API resource" ?
Hello! You should definitely try to setup the REST API you are using a resource. This is the preferred way to setup your commonly used APIs across apps. When you set up an API resource adhoc in the way you have you are providing full route and header data (like the x-api-key) which can allow for your credentials to leak out into the wild.
The Use/Edit distinction seems odd to have to make in this case as the basic REST API functionality shouldn't be affected, AKAIK. Are you able to share the error that "Anthony" is seeing?
You likely need to give users edit permission for resources, Resources will hold specific details and queries interact with resources as the resources are a type of "middle-man connector".
nothing, I couldn't make it work. I created the resource, gave access to the user (tried both use and edit permission), but they still receive an error "Invalid Input". Lost already more than a full working day debugging and try to make it work
is there a way for me to share a screencast/loom with the team in private? to show this in public i'll have to work with real production file and sensitive user data, i'd rather send this to retool team only
You can send me a video in a private DM to my account here on this forum. We make sure to take the highest degree of confidentiality with all videos that users share with us and it is a very common practice.
As lots of our users have sensitive data they are working with. It will definitely help give us as more context to trouble shoot. Make sure to sure the resource set up and the query set up along with the permissions page with the different levels for different users!
While recording a 10+ minute loom for you I realized the problem: I was using the "retool storage" retool and the user group did not have access to it.
now that I think about it: feature request > SHOW A NOTIFICATION to the user!! "You don't have Retool Storage Permissions"
I had to go into the state of the fileDrop component to see that something was not right and it took me and my colleagues probably multiple days of work
Ahhh I see, glad you caught that and got things working!
I 100% can make a feature request for that. It would be very useful for avoiding permission issues to flash a message for users to let them know if they do not have Retool DB storage permissions!
Apologies for the inconvenience, thank you for sharing that you had to look into the component state to track down the information, this thread will hopefully be helpful for anyone else running into similar issues!