Uninett
Api views should honour DEFAULT_PERMISSION_CLASSES
DRF has the DEFAULT_PERMISSION_CLASSES settting which Argus sets to:
"DEFAULT_PERMISSION_CLASSES": ("rest_framework.permissions.IsAuthenticated",),
This is nice, so we can update this setting and add our custom authorization logic so that we can restrict access to certain users (<- this is something that we need)
Except that we can't... Most if not all Argus ApiView classes completely ignore the default and set their own. And most of the time they just set [IsAuthenticated], which just reimplements the default.
Now I could whip up a PR that makes the ApiViews honour the default permissions (and then add the required additional permissions such as IsOwner etc.). This would mean that the permission classes are unchanged as long as the DEFAULT_PERMISSION_CLASSES are kept to the default settings in argus.site.settings.base. However, I'm not sure if there are Argus instances that have a custom DEFAULT_PERMISSION_CLASSES setting that would reduce security. Is any of you more aware of what DEFAULT_PERMISSION_CLASSES other Argus instances are using and wether it would be safe to read from the settings instead of overriding them everywhere?
I haven't heard of anyone else customizing as much as you. We could just flag the change very clearly.
Removing explicit permission_classes when it is identical to DEFAULT_PERMISSION_CLASSES sounds like a good idea.
We could also add a howto on how to customize per existing view.
We could also add a howto on how to customize per existing view.
That would also be interesting (as an additional option). How can you customize an existing view? The only thing I can think of is to subclass and then create a custom urlconf and use that, but that does not sound appealing. Is there another way?
IsOwner assumes the model has a foreign key user pointing to User on it. It's only used by notificationprofile-views so I'm tempted to move that permission to argus.notificationprofile.drf.permissions.
We could also add a howto on how to customize per existing view.
That would also be interesting (as an additional option). How can you customize an existing view? The only thing I can think of is to subclass and then create a custom urlconf and use that, but that does not sound appealing. Is there another way?
No need to subclass, but you probably need a custom urlconf.
from rest_framework.permissions import IsAuthenticated
from argus.auth.views import CurrentUserView
from myargus.premssions import NeverOnSunday
CurrentUserView.permission_classes = [NeverOnSunday, IsAuthenticated]
from rest_framework.permissions import IsAuthenticated
from argus.auth.views import CurrentUserView
from myargus.premssions import NeverOnSunday
CurrentUserView.permission_classes = [NeverOnSunday, IsAuthenticated]
I see... I'll keep that in mind for if we have to something exotic :D
from rest_framework.permissions import IsAuthenticated from argus.auth.views import CurrentUserView from myargus.premssions import NeverOnSunday CurrentUserView.permission_classes = [NeverOnSunday, IsAuthenticated]
I see... I'll keep that in mind for if we have to something exotic :D
This... is... Python!!!
Might be an idea to have a mixin-class that looks for the class attribute additional_permission_classes and sets premission_classes as DEFAULT_PERMISSION_CLASSES + additional_permission_classes.
But seriously, we could have an IsStaff or IsMemberOfGroupChthulhu to make the API less open.