Authentication doesn't work for EmbeddedListField #70
Comments
|
Currently I do not have much time to look into this. Sorry. |
|
the last two issues are about the same problem the problem itself and a temporary solution is described in the post here |
|
#71 isn't really about this (it's about an extra call to authorization for normal documents, not ones embedded in lists) but #72 is. My bad for reporting a duplicate issue, I was thrown off by this bug's subject line about Authentication rather than Authorization. In our case any non-GET request to the EmbeddedListField was being allowed. Only read_detail or read_list were being accessed in our Authorization function; none of the other functions were even being checked before the data was written and success returned to any Authenticated user. Our hackish solution was to just add a call to the authorization features in obj_create, obj_update and obj_delete: --- resources.py.bak 2014-01-14 12:04:08.826678379 -0500
+++ resources.py 2014-01-14 12:08:16.172309240 -0500
@@ -814,6 +814,7 @@
def obj_create(self, bundle, **kwargs):
try:
+ self.authorized_create_detail(self.get_object_list(bundle.request), bundle)
bundle.obj = self._meta.object_class()
for key, value in kwargs.items():
@@ -853,6 +854,7 @@
# TODO: Use skip_errors?
def obj_update(self, bundle, skip_errors=False, **kwargs):
try:
+ self.authorized_update_detail(self.get_object_list(bundle.request), bundle)
if not bundle.obj or not getattr(bundle.obj, 'pk', None):
try:
bundle.obj = self.obj_get(bundle=bundle, **kwargs)
@@ -880,6 +882,7 @@
raise exceptions.ValidationError(ex.message)
def obj_delete(self, bundle, **kwargs):
+ self.authorized_delete_detail(self.get_object_list(bundle.request), bundle)
obj = kwargs.pop('_obj', None)
if not getattr(obj, 'pk', None):
|
|
agreed i still hope, this will be fixed in the future |
|
Please make a pull request with tests. I myself am using the package only for public read-only APIs so authentication has been completely untested and underdeveloped. As you can see. :-) |
ghost
mentioned this issue
I'm trying to setup a resource with EmbeddedListField, and it fails to Authenticate user to access the individual items.
Here is my example:
StaffAuthorization() allows performing all actions (read, update, create, delete on both list and detail) to active users, who are is_staff or is_superuser
This request
/api/v1/section/52adcdbc02c8f1078ea68f63/?format=json&username=beta&api_key=b924d14ff71d27509a25f0d779ec45db83158199
works perfectly fine, displaying the list of fields and their resource_uri's
But this one:
/api/v1/section/52adcdbc02c8f1078ea68f63/fields/0/?format=json&username=beta&api_key=b924d14ff71d27509a25f0d779ec45db83158199
fails with 401
This happens with any of the requests: GET, PATCH, POST, etc.
After switching authorization off (i.e. authorization = Authorization()), everything works fine in both cases: /section/ and /section/section_pk/fields/field_index. Also, all the requests work fine for SectionResource with authorization on, so it's not the problem with custom StaffAuthorization.
Debugging showed that in the method read_detail of StaffAuthorization the bundle.request.user is AnonymousUser - so, it skips Authentication entirely.
The text was updated successfully, but these errors were encountered: