search

jazzband / django-rest-knox

Authentication Module for django rest auth
MIT License
1.18k stars 213 forks source link

Add setting for permission_classes for views #201

Open brycekellogg opened 4 years ago

brycekellogg commented 4 years ago

Currently the LoginView, LogoutView, and LogoutAllView all have hardcoded permission_classes to IsAuthenticated. While this is definitely the minimum needed as discussed in issues #64 and #9, sometimes additional permissions are required. For our use case, we are using API keys and only want a user to be able to login/out/etc if they have an API key. Currently we solve this like so:

class LoginView(KnoxLoginView):
    permission_classes = (IsAuthenticated,HasAPIKey)

class LogoutView(KnoxLogoutView):
    permission_classes = (IsAuthenticated,HasAPIKey)

class LogoutAllView(KnoxLogoutAllView):
    permission_classes = (IsAuthenticated,HasAPIKey)

One possible solution could be similar to how Djoser does it:

class UserViewSet(viewsets.ModelViewSet):
    permission_classes = settings.PERMISSIONS.user

where we set the permissions in settings.py like so:

DJOSER = {
    'PERMISSIONS': {
        'user':  ['baas.auth.permissions.HasAPIKey', 'djoser.permissions.CurrentUserOrAdmin'],
    }
}
johnraz commented 4 years ago

I agree this is a valid option but introducing a new settings means new documentation, more complexity in the code base and more tests. As this is a small project with very limited resources I think we should keep it as is.