chibisov / drf-extensions

DRF-extensions is a collection of custom extensions for Django REST Framework
http://chibisov.github.io/drf-extensions/docs
MIT License
1.48k stars 208 forks source link

[WIP] feat: add parent permission check. #328

Open sobadgirl opened 2 years ago

sobadgirl commented 2 years ago

FIX: #271 FIX: #142 FIX: #98

Notice

This PR hasn't been completed yet, it already meets what I need so I just mark it as draft.

It needs to think more about some special cases(i mentioned several in code comments.) and make some tests.

It's welcome for everyone to update based on those codes.

you can fork my repo and start a PR to https://github.com/sobadgirl/drf-extensions

OR

just copy those codes to your repo and start a PR to https://github.com/chibisov/drf-extensions directly.

Feature

Add permission chain check to check parent permissions.

Think you have those URLs:

/api/users/1/
/api/users/1/houses/
/api/users/1/houses/1/
/api/users/1/houses/1/tables/
/api/users/1/houses/1/tables/1

Before

If you didn't have permission on /api/users/1, then you can't visit it. but you still can visit /api/users/1/houses and other subpaths of /api/users/1/.

because when we visit /api/users/1/houses/, the request was sent to HouseViewSet directly, so DRF skipped checking the permission of UserViewSet.

After

when you visit /api/users/1/houses/ will check permission of UserViewSet.check_object_permissions. when you visit /api/users/1/houses/1/tables/ will check permissions of UserViewSet.check_object_permissions and HouseViewSet.check_object_permissions.

so if you don't have permission to visit /api/users/1/, then you will be refuse to visit any subpath of /api/users/1/

auvipy commented 2 years ago

seems CI not working properly