User: an authenticated user, in which case only her objects will be visible
Client: a client will use a token.
Tokens need to be created in core (can be done via admin), and then you will be able to register this token in the client, e.g. storing it as a setting.
Tokens are fairly simple things, consisting of an informative label and a key. We can eventually later extend this to use tokens for other purposes (teams and users).
Additionally to the permissions/ownership check, I added a useful mixin that allows to dynamically limit which fields to return in the payload.
Permissions and dynamic field mixin are applied for now to repos and features.
Example for manual testing:
Create a token in the admin
Create some team, users, projects, and features or repos
Browse to /core/features/feature/?X-Ployst-Access-Token=<token_key>&fields=feature_id,title without logging in - should see all features
Same without token - get a 403
Log in (via admin) with some account that cannot access all features and browse to /core/features/feature/ - should see only features from projects of own teams
Code details
This work in progress includes:
API base classes for security and ownership checks.
A mixin for filtering fields
A testcase mixin that simplifies writing tests that require passing ownership checks
Fixes the "not implemented" failing test - we're all green now :)
I'll probably extend this with additional tests for the base classes/mixins. If you have suggestions about what else to test let me know.
Functional description
Supports two security mechanisms as defined in http://txels.tpondemand.com/entity/312.
Tokens need to be created in core (can be done via admin), and then you will be able to register this token in the client, e.g. storing it as a setting.
Tokens are fairly simple things, consisting of an informative label and a key. We can eventually later extend this to use tokens for other purposes (teams and users).
Additionally to the permissions/ownership check, I added a useful mixin that allows to dynamically limit which fields to return in the payload.
Permissions and dynamic field mixin are applied for now to repos and features.
Example for manual testing:
/core/features/feature/?X-Ployst-Access-Token=<token_key>&fields=feature_id,title
without logging in - should see all features/core/features/feature/
- should see only features from projects of own teamsCode details
This work in progress includes:
I'll probably extend this with additional tests for the base classes/mixins. If you have suggestions about what else to test let me know.