Plugin SDK > Additional permissions

Additional permissions

Some methods and properties available within the hooks require special permissions to be accessed, as they may cause security issues.

If a plugin wants to access these additional features, it must request specific permissions. When installing the plugin, the user must explicitly grant these permissions, otherwise the installation process will be aborted:

Available permissions

At the moment, only one special permit is available, but in the future more may be added.

currentUserAccessToken

This permission makes the ctx.currentUserAccessToken property available. This token represents the currently logged in user, and you can use it to make API calls to the Content Management API on behalf of that user.

import { SiteClient } from 'datocms-client';
import { useMemo, useEffect } from 'react';
connect({
renderPage(pageId, { ctx }) {
const client = useMemo(() => {
return new SiteClient(
ctx.currentUserAccessToken,
{ environment: ctx.environment },
);
}, [ctx.currentUserAccessToken]);
useEffect(async () => {
const someRecords = await client.items.all();
}, []);
// ...
},
});

Specifying additional permissions

Private plugins

During the creation of a plugin, it is possible to specify the additional permissions the plugin requires:

Marketplace plugins

Public plugins must declare their additional permissions inside the datocmsPlugin.permission key in their package.json file:

{
"name": "datocms-plugin-foobar",
"version": "0.1.0",
"dependencies": {
// ...
},
"datoCmsPlugin": {
"title": "Foobar",
// ...
"permissions": ["currentUserAccessToken"]
}
}

For more information regarding how to publish a plugin in the Marketplace, see here.