[WIP] feat: add parent permission check. #328
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FIX: #271
FIX: #142
FIX: #98
Notice
This PR hasn't been completed yet, it already meets what I need so I just mark it as draft.
It needs to think more about some special cases(i mentioned several in code comments.) and make some tests.
It's welcome for everyone to update based on those codes.
you can fork my repo and start a PR to https://github.com/sobadgirl/drf-extensions
OR
just copy those codes to your repo and start a PR to https://github.com/chibisov/drf-extensions directly.
Feature
Add permission chain check to check parent permissions.
Think you have those URLs:
Before
If you didn't have permission on
/api/users/1
, then you can't visit it.but you still can visit
/api/users/1/houses
and other subpaths of/api/users/1/
.because when we visit
/api/users/1/houses/
, the request was sent toHouseViewSet
directly, so DRF skipped checking the permission ofUserViewSet
.After
when you visit
/api/users/1/houses/
will check permission ofUserViewSet.check_object_permissions
.when you visit
/api/users/1/houses/1/tables/
will check permissions ofUserViewSet.check_object_permissions
andHouseViewSet.check_object_permissions
.so if you don't have permission to visit
/api/users/1/
, then you will be refuse to visit any subpath of/api/users/1/