Open ajdlinux opened 4 years ago
Do we want to go the whole hog and implement proper ratelimiting, with configurable limits for anonymous/logged in users? I'm thinking about how to protect against misbehaving but authorised scripts...
Yeah why not, DRF seems to support that in a very straightforward manner
Happy to take this, feel free to assign to me
Having asked on IRC, I was helpfully pointed to https://www.django-rest-framework.org/api-guide/permissions/#setting-the-permission-policy
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
]
}
seems like it'd probably do it.
DRF also has throttling options: https://www.django-rest-framework.org/api-guide/throttling/
@mricon would overriding the built-in DRF permission and throttling settings work for your use case? In which case maybe we add a link to the DRF documentation and leave it at that.
Ugh turns out we define our own permissions class and use that, but we can easily fix that class
Requested by Konstantin: https://lists.ozlabs.org/pipermail/patchwork/2019-November/006369.html
Site admins may want to restrict API access to authenticated users only to control server load.
edit: Looks like with some settings in REST_FRAMEWORK, restricting to authenticated users is probably doable by setting the right default permission classes, and there's settings for throttling too. We should add a mention of this to the documentation for the sake of admins who are unfamiliar