We need to make sure the only people who can see their own data are the people who should be able to-- so professors can manage their own courses, users can only see their own work and their own classes.
I like the idea of decorators for this but I'm trying to figure out what that would look like.
Here's some pseudocode that gets at the idea, but is implemented poorly (using a string to specify what a variable would look like, and I don't know if I got the decorator syntax exactly right). We might be able to clean this up by not extending its versatility as far.
@app.route('/course/<id>/list_students')
@restrict_access('instructor', course='id')
def course_list_students(id):
pass
def restrict_access(access, **outer_kwargs):
course = outer_kwargs['course'] # or something better
def decorator(f):
@wraps(f)
def inner_function(*args, **inner_kwargs):
# some function to figure out the outkwargs is a course
# get the course by popping the inner function
# check access of get_session_user() against inner_kwargs[course] and return 403 if not authorized
return decorated_function
return inner_function
return decorator
Other ideas: some sort of function within each data type which decides if a user is authorized to access a resource
nasonfish
commented
5 years ago
We need to make sure the only people who can see their own data are the people who should be able to-- so professors can manage their own courses, users can only see their own work and their own classes.
I like the idea of decorators for this but I'm trying to figure out what that would look like.
Here's some pseudocode that gets at the idea, but is implemented poorly (using a string to specify what a variable would look like, and I don't know if I got the decorator syntax exactly right). We might be able to clean this up by not extending its versatility as far.
Other ideas: some sort of function within each data type which decides if a user is authorized to access a resource