Permissions in /api compared to /admin

bryan-brancotte commented 3 years ago

Hi !

I need your opinion on this @hmenager @thomasrosnet

When a user wants to edit an object trough /api, we use the permissions specified in the class to test whether the user can or cannot edit the object. When the same user wants to do it through /admin we also check if the user is granted on the model by django permissions.

This means :

a user can have more rights in /api than in /admin.
a user that have just created an account can create a team without needing to wait for an admin to grant him/her the permission

We thus have to chose between :

strictly the same rights between /api /admin and user who cannot create new objects unless an admin allows it
/api does not use model permission, user can directly add new objects, but have to be granted to do it in the admin interface
not use model permission at all, juste permissions we create in permissions.py (PubliclyReadableEditableByLeader, ...) and thus have strictly the same rights between /api /admin

bryan-brancotte commented 3 years ago

...and my opinion on this matter is that we should allows all admins to edit in /admin everything they already can in /api

bryan-brancotte commented 3 years ago

The patch doing the first very strict option git apply /tmp/patch.txt patch.txt

IFB-ElixirFr / ifbcat

Permissions in /api compared to /admin #135