I was trying to see if I could get permissions to work with the Dynamicweb CLI using a users JWT Bearer token instead of an ApiKey
And if I use the credentials of a user I can get a Bearer token on
POST https://localhost:18164/Admin/TokenAuthentication/Authenticate
Although the user I login with has DELETE permission to /Files/Files
I can still upload files to System using
dw files -i .\README.md System/ --apiKey <JWT Bearer Token>
Which maybe means that all editors have permissions to do upload anything with the CLI which they otherwise wouldn't have using the UI
If I use my Bearer token directly agains the Management API for example (list files recursive)
GET https://localhost:18164/Admin/Api/DirectoryAll?DirectoryPath=System&includeFiles=true&resursive=true
I can get permissions to work and it doesn't return information from the System folder - only the Files that I gave access to.