All API endpoints should only list or provide access to objects that the current user is allowed to see. And each object should specify if the current user can edit or take other actions on it.
Currently each object provides a simple list of permissions in the API response based on if the user is logged in or is a super user.
Reminder to consider adding an Organization entity for which users belong to and inherit permissions from. Multiple projects belong to an Org. Users can modify any project in org by default.
mihow
commented
4 weeks ago
All API endpoints should only list or provide access to objects that the current user is allowed to see. And each object should specify if the current user can edit or take other actions on it.
Currently each object provides a simple list of permissions in the API response based on if the user is logged in or is a super user.
Consider using the Guardian package to help handle this https://www.django-rest-framework.org/api-guide/permissions/#djangoobjectpermissions https://github.com/rpkilby/django-rest-framework-guardian
Reminder to consider adding an Organization entity for which users belong to and inherit permissions from. Multiple projects belong to an Org. Users can modify any project in org by default.
Consider looking at https://github.com/keycloak/keycloak https://django-keycloak.readthedocs.io/en/latest/ https://github.com/Ouranosinc/Magpie