AlbertoCasasOrtiz
commented
1 year ago I have been looking into this.
Currently, we are using two approaches to check permissions:
- permission_classes: Are defined in the class are applied to every method of that class. Like here.
- check_object_permission function: Is called inside of a function, and checks if the request information (which contains user and session information) has permissions before modifying or accessing a specific object. Like here.
The permission classes are defined here, and are applied to retrieve, delete and modify actions according to documentation. I think we are using the check_object_permission in cases where, there is public information (like a session) and everyone can retrieve it, but only the owner can modify it. So I guess we use the permission_classes to check if an user can access to the object, and then we check if that user has permissions to modify it using the check_object_permission function. It is a little confusing, so I could be wrong here.
Based on this, I don't think we should select one or another option to check for permissions, since each one is doing a different thing. What are your thoughts? @antoinefalisse @suhlrich
Mentioned in https://github.com/stanfordnmbl/opencap-api/pull/62#discussion_r1307753592
Check which option is better to check permissions and make sure it is secure.