search

hackforla / peopledepot

A project to setup a datastore for people and projects at HackforLA. The link below takes you to the code documentation
https://hackforla.github.io/peopledepot/
GNU General Public License v2.0
6 stars 26 forks source link

Implement delete security #371

Open fyliu opened 3 weeks ago

fyliu commented 3 weeks ago

Dependency

We need to disable the DELETE method for all models. This was decided by @bonniewolfe in the 2024/08/15 meeting. The idea is that we do not actually delete data in most cases, but we'll work out the actual "delete" implementation later. For now, we just disable the endpoints

Action Items

Resources/Instructions

fyliu commented 3 weeks ago

@bonniewolfe How do we want to implement this?

  1. not have the DELETE endpoints so clients can't call them
  2. show DELETE but return an error
  3. show DELETE and return success but do nothing for now

I'm leaning towards the last option as it's closest to what we eventually want to do.

Note that we can have a custom modelview class to disable this for every model for now, and then switch to the standard ModelViewSet and implement "delete" actions separately for each model.

# declare all model viewsets to use a temporary custom viewset which disables delete
class UserViewSet(NoDeleteModelViewSet):
    ...

# switch to the standard ModelViewSet and add a custom delete method in each model viewset
class UserViewSet(rest_framework.viewsets.ModelViewSet):
    ...

    def delete(self, request, *args, **kwargs):
        ...
shmonks commented 2 weeks ago

Fang's question at the top no longer applies

fyliu commented 2 weeks ago

This issue needs rewriting due to change in scope.