Comments (6)
Did you see https://github.com/elasticsales/flask-mongorest#authentication ?
from flask-mongorest.
Yep it is authentication (who is this user?). But authorization (can this user get/post/delete/put this object)? maybe something like http://django-tastypie.readthedocs.org/en/latest/authentication_authorization.html ? I think by passing the object to a function as an argument (for get/put/post) and some kind of filtering for list.
from flask-mongorest.
Permission checks at the object/resource level is something we usually do inside Resource.validate_request(). However, I definitely see an advantage to implementing a scheme similar to the link above. It's not a feature currently on the roadmap, would you be up to submit a pull request?
from flask-mongorest.
So this i my idea on how to implement it and please comment, later ill code.
- Filtering in listing (only show me this users objects)
This could be done by overriding the Resource.get_queryset . But this is used also on the get single object. My idea is to create a new function called Resource.gets_queryset and the Resource.get_objects calls this function (line 177). - Checking on get. Creating a new class.
class AuthorizationBase(object):
def authorized(self,object=None):
return False
def authorized_get(self,object=None):
return False
def authorized_post(self,object=None):
return False
def authorized_put(self,object=None):
return False
def authorized_delete(self,object=None):
return False
Adding some attributes to ResourceView :authorization_methods, authorization_get_methods etc.
Just like the authentication code in line 28 in views.py adding a check inside get,post,put,delete.
Also how do you check in Resource.validate_request()? Do you override all the code?(post code maybe cause i don't see it)
Thanks
from flask-mongorest.
Looks like you override validate_request and call super ?But only for put and post.
What about adding something like validate_request for get(optional argument pk to tell the difference between get and list) after obj is created and before objs is created?
Something for delete also, after obj is created?
from flask-mongorest.
I did the 'get' authorization by overriding Resource.get_object and 'list' by overriding Resource.get_queryset.
Thanks
from flask-mongorest.
Related Issues (20)
- Default implementation of handle_serialization_error should raise
- Dealing with embedded documents. HOT 24
- How to use Flask-MongoRest resource filters? HOT 9
- Writing an operator, taking the index of a ListField into account. HOT 1
- Using a projection on a dataquery HOT 3
- How to use JWT Decorator
- How to return PyMongo cursor?
- Filtering list issue
- Limit field in MapfField
- Exclude field HOT 9
- Error: A ReferenceField only accepts DBRef, ObjectId or documents
- Saving Reference field along with object in POST request
- pip don't install package
- has_add_permission() cannot prevent object creation HOT 1
- pip hasn't been updated since 2012 HOT 2
- Allow for custom Encoder class HOT 1
- Support lazy initialization / use init_app HOT 1
- Python 3 incompatible syntax on views.py HOT 4
- example app can't run success HOT 8
- Compatibility with mongoengine[original] HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flask-mongorest.