If you didn't have permission on /api/users/1, then you can't visit it.
but you still can visit /api/users/1/houses and other subpaths of /api/users/1/.
because when we visit /api/users/1/houses/, the request was sent to HouseViewSet directly, so DRF skipped checking the permission of UserViewSet.
After
when you visit /api/users/1/houses/ will check permission of UserViewSet.check_object_permissions.
when you visit /api/users/1/houses/1/tables/ will check permissions of UserViewSet.check_object_permissions and HouseViewSet.check_object_permissions.
so if you don't have permission to visit /api/users/1/, then you will be refuse to visit any subpath of /api/users/1/
FIX: #271 FIX: #142 FIX: #98
Notice
This PR hasn't been completed yet, it already meets what I need so I just mark it as draft.
It needs to think more about some special cases(i mentioned several in code comments.) and make some tests.
It's welcome for everyone to update based on those codes.
you can fork my repo and start a PR to https://github.com/sobadgirl/drf-extensions
OR
just copy those codes to your repo and start a PR to https://github.com/chibisov/drf-extensions directly.
Feature
Add permission chain check to check parent permissions.
Think you have those URLs:
Before
If you didn't have permission on
/api/users/1
, then you can't visit it. but you still can visit/api/users/1/houses
and other subpaths of/api/users/1/
.because when we visit
/api/users/1/houses/
, the request was sent toHouseViewSet
directly, so DRF skipped checking the permission ofUserViewSet
.After
when you visit
/api/users/1/houses/
will check permission ofUserViewSet.check_object_permissions
. when you visit/api/users/1/houses/1/tables/
will check permissions ofUserViewSet.check_object_permissions
andHouseViewSet.check_object_permissions
.so if you don't have permission to visit
/api/users/1/
, then you will be refuse to visit any subpath of/api/users/1/