-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes: #14634 - Bypass Write permissions for render endpoint #15251
base: develop
Are you sure you want to change the base?
Conversation
@DanSheps are you still working on this? |
Yes, sorry, I will get back on it. Trying to find an elegant way to do this. |
def initial(self, request, *args, **kwargs): | ||
self.original_queryset = self.queryset | ||
super().initial(request, *args, **kwargs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could alternatively modify:
class BaseViewSet(GenericViewSet):
"""
Base class for all API ViewSets. This is responsible for the enforcement of object-based permissions.
"""
def initial(self, request, *args, **kwargs):
super().initial(request, *args, **kwargs)
# Restrict the view's QuerySet to allow only the permitted objects
if request.user.is_authenticated:
if action := HTTP_ACTIONS[request.method]:
self.queryset = self.queryset.restrict(request.user, action)
to account for permissions using:
self.get_permissions() and using the resulting perms_map to determine what permission should be applied.
This is a down the road thing IMO though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll definitely need to identify a more maintainable solution. This will probably entail digging into DRF permissions logic a bit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, I think we can figure out something by modifying the BaseViewSet
and then adjusting the queryset based on that.
I will take a second crack at this on the weekend.
This PR has been automatically marked as stale because it has not had recent activity. It will be closed automatically if no further action is taken. |
Need to get back to this. |
Fixes: #14634 - Bypass Write permissions for render endpoint