Closed bradydean closed 1 year ago
yeah, I've used a pattern in projects that allows scoping allowed PK related field values using an access policy.
I'll do a release shortly.
This is available now: https://rsinger86.github.io/drf-access-policy/policy_reuse/
There's a more robust version of this, where the field automatically identifies the policy based on the association of a viewset, a model and a policy. But I wanted to save some fun for later :)
That would be cool. I can get by with this at the moment, thanks for the quick work!
I have two ModelViewSet's/ModelSerializer's, each with their access policies set. To create an object in one viewset you must give the PK of an object in the other viewset. At the moment it does not enforce the other viewset's access policy for that PK. Is does not deny access to a resource that you would otherwise not have access to through the other viewset. Is there a way to enforce the policy there?