Open ajdlinux opened 4 years ago
daxtens
commented
4 years ago Do we want to go the whole hog and implement proper ratelimiting, with configurable limits for anonymous/logged in users? I'm thinking about how to protect against misbehaving but authorised scripts...
ajdlinux
commented
4 years ago Yeah why not, DRF seems to support that in a very straightforward manner
ajdlinux
commented
4 years ago Happy to take this, feel free to assign to me
ajdlinux
commented
4 years ago Having asked on IRC, I was helpfully pointed to https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
]
}seems like it'd probably do it.
DRF also has throttling options: https://www.django-rest-framework.org/api-guide/throttling/
@mricon would overriding the built-in DRF permission and throttling settings work for your use case? In which case maybe we add a link to the DRF documentation and leave it at that.
ajdlinux
commented
4 years ago Ugh turns out we define our own permissions class and use that, but we can easily fix that class
Requested by Konstantin: https://lists.ozlabs.org/pipermail/patchwork/2019-November/006369.html
Site admins may want to restrict API access to authenticated users only to control server load.
edit: Looks like with some settings in REST_FRAMEWORK, restricting to authenticated users is probably doable by setting the right default permission classes, and there's settings for throttling too. We should add a mention of this to the documentation for the sake of admins who are unfamiliar