Secure the backend - Githubissues

refugeehackathon / interpreteer-backend

Interpreteer helps newcomers find an interpreter

GNU General Public License v2.0

1 stars 0 forks source link

Secure the backend #42

Open dahoo opened 8 years ago

dahoo commented 8 years ago

[x] Disable the API post form in prodution. People shouldn't be allowed to add new data without the frontend.
[ ] How to prevent everybody from seeing user data, e.g. email adresses?

illing2005 commented 8 years ago

Can by solved by adding
```
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
   'rest_framework.renderers.JSONRenderer',
)
}
```
to the poduction settings. But I like the BrowsableAPIRenderer, because it's easier to debug.
Do we need email addresses in the frontend? I would just remove them from the UserSerializer

dahoo commented 8 years ago

Okay, but it would suffice to have it in the development environment, right?
Yes, for example if the user wants to change it. But there must be some best practices for that...

hrantzsch commented 8 years ago

People are already only allowed to post data when they are logged in. What does it matter if they use a frontend for that?
api/users should generally not be available. No frontend needs to access the data of all users, right? We should only offer data for the user who is logged in.

dahoo commented 8 years ago

Great, I wasn't aware of that.
There's no need for to request all users, but we need to query the name of a certain user. But true, the email adress doesn't need to be included.

hrantzsch commented 8 years ago

You mean when viewing a request or offer, right? Then we really only need to provide a way to resolve the name of the user who belongs to the request/offer.