Skip to content

[WIP] feat: add parent permission check. #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

[WIP] feat: add parent permission check. #328

wants to merge 21 commits into from

Conversation

@sobadgirl
Copy link

@sobadgirl sobadgirl commented Apr 24, 2022

FIX: #271
FIX: #142
FIX: #98

Notice

This PR hasn't been completed yet, it already meets what I need so I just mark it as draft.

It needs to think more about some special cases(i mentioned several in code comments.) and make some tests.

It's welcome for everyone to update based on those codes.

you can fork my repo and start a PR to https://github.com/sobadgirl/drf-extensions

OR

just copy those codes to your repo and start a PR to https://github.com/chibisov/drf-extensions directly.

Feature

Add permission chain check to check parent permissions.

Think you have those URLs:

/api/users/1/
/api/users/1/houses/
/api/users/1/houses/1/
/api/users/1/houses/1/tables/
/api/users/1/houses/1/tables/1

Before

If you didn't have permission on /api/users/1, then you can't visit it.
but you still can visit /api/users/1/houses and other subpaths of /api/users/1/.

because when we visit /api/users/1/houses/, the request was sent to HouseViewSet directly, so DRF skipped checking the permission of UserViewSet.

After

when you visit /api/users/1/houses/ will check permission of UserViewSet.check_object_permissions.
when you visit /api/users/1/houses/1/tables/ will check permissions of UserViewSet.check_object_permissions and HouseViewSet.check_object_permissions.

so if you don't have permission to visit /api/users/1/, then you will be refuse to visit any subpath of /api/users/1/

@sobadgirl sobadgirl marked this pull request as draft April 24, 2022 12:55
@auvipy auvipy self-requested a review May 14, 2022 20:24
@auvipy
Copy link
Collaborator

auvipy commented May 14, 2022

seems CI not working properly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@auvipy auvipy Awaiting requested review from auvipy

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorporate DRY REST permission Nested routes allow creation of objects for another parent object One to one / One to many nested permission

2 participants

@sobadgirl @auvipy