Access Control - Githubissues

danirus / django-comments-xtd

A pluggable Django comments application with thread support, follow-up notifications, mail confirmation, like/dislike flags, moderation, a ReactJS plugin and Bootstrap 5.3.

https://django-comments-xtd.readthedocs.io

BSD 2-Clause "Simplified" License

594 stars 158 forks source link

Access Control #222

Closed omaraltayyan closed 3 years ago

omaraltayyan commented 3 years ago

is there a method by which we can control access to the API to private comments, imagine having a thread in a closed private forum page, is anyone who can guess object and content type IDs will be able to get the comments on any entity on any site that uses this library?

omaraltayyan commented 3 years ago

note that i am using the provided React plugin not Django templates

danirus commented 3 years ago

Yes. You have control over it via the authentication and permissions of django-rest-framework.

If you want to prevent anyone from using the API, allowing access only to registered users, you could use the following in your settings module:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ]
}

omaraltayyan commented 3 years ago

Yes. You have control over it via the authentication and permissions of django-rest-framework.

If you want to prevent anyone from using the API, allowing access only to registered users, you could use the following in your settings module:
REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.SessionAuthentication',
    ],
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ]
}

very helpful thanks!!