Skip to content

Different included_resources per permissions #903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SafaAlfulaij opened this issue Apr 1, 2021 · 2 comments
Closed

Different included_resources per permissions #903

SafaAlfulaij opened this issue Apr 1, 2021 · 2 comments
Labels
needs-information question

Comments

@SafaAlfulaij
Copy link
Contributor

Ref #864
How can one restrict included resources by permissions? For example only staff users can include flags on comments on posts. Otherwise return 403?
@sliverc
Copy link
Member

sliverc commented Apr 2, 2021

You can write a custom permission class and check whether the include parameter is set and if yes whether the user has the rights to include flags or not.

I would be very careful with this though because with the relationship on comments a user already gets an id and type of a flag which exposes information you might not want. Another option would be to have different resources for readers of the api and for staff.

Does this make it clearer?

@SafaAlfulaij
Copy link
Contributor Author

I think the permission class can do this job (writing a general one, then sub classing it for different includes/permission code names.
And about the relationship, I can easily pop unauthorized fields/links from the serializer, and put the same permission class on the relationship view.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-information question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sliverc @SafaAlfulaij