Hello,
As Meilisearch's security model is that there is no multi-tenancy on the "configuration" side of a Meilisearch instance (in particular, webhooks), it should be made explicit:
- In https://www.meilisearch.com/docs/learn/security/multitenancy_tenant_tokens, add a paragraph with a warning "Multi-tenancy in Meilisearch is supported for users of the search via tenant tokens. Multi-tenancy is not supported for configuring Meilisearch at the time"
- In https://www.meilisearch.com/docs/reference/api/webhooks, add a paragraph with a warning "Webhooks do not have fine permission granularity, so any API key with
webhooks.ACTION permission can accomplish ACTION on all webhooks, regardless of which API key created the webhook.
- Similarly for
https://www.meilisearch.com/docs/reference/api/chats
Acknowledgment: Thanks to the private report of Gabriel Rodrigues, aka Texugo, who prompted the need for clarification
Hello,
As Meilisearch's security model is that there is no multi-tenancy on the "configuration" side of a Meilisearch instance (in particular, webhooks), it should be made explicit:
webhooks.ACTIONpermission can accomplishACTIONon all webhooks, regardless of which API key created the webhook.https://www.meilisearch.com/docs/reference/api/chatsAcknowledgment: Thanks to the private report of Gabriel Rodrigues, aka Texugo, who prompted the need for clarification