Open cliffordh opened 5 years ago
Reviewing the code I do not see object level permissions implemented. Thus, it is possible for an authenticated user to update/delete objects in another users account. See https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions for information on implementing object level permissions using rest framework.
Reviewing the code I do not see object level permissions implemented. Thus, it is possible for an authenticated user to update/delete objects in another users account. See https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions for information on implementing object level permissions using rest framework.