Role Related Access Control #467
Conversation
ArslanArdavic
requested review from
oguzpancuk,
Simurgan,
Bera0422,
gebenalimert and
hakanaktas0
|
I believe we need some way of using token authentication |
Simurgan
added this to the CMPE451 Customer Milestone 2: Presentation and Delivery milestone
There was a problem hiding this comment.
please check my inline comment, I think we need a little more but not a big change. also please consider @hakanaktas0 's comment too.
| elif basic.count() != 0: | ||
| return "BASICUSER" | ||
| else: | ||
| return None |
There was a problem hiding this comment.
get_user_role_from_request is useful for the implementations with the methods. however we need some additional mechanisms for the apis implemented with django rest framework. for example, in ChangeProfileSettingsView class below, we use a list called "permissions" for checking the permissions. this is a proper and easy way for such implementations. checking the authorization in the methods can be hard and may require additional implementations for such api implementations. for example, some of them doesn't even implemented with the methods and there is no other way of authorization checks. can you add some additional mechanisms for that purpose?
I have implemented one in my last pr and you can check it by clicking here
It is really simple and easy to implement. btw, you can also call this method in the classes' has_permission method too.
Simurgan
removed this from the CMPE451 Customer Milestone 2: Presentation and Delivery milestone
A simple method is implemented in order to differentiate user roles from request send. We may call this function before processing each request in every necessary end-point. This is the simplest, most lightweight solution.
Implementing this solution will require us to specify restricted end-points then calling this function in each of them, which I didn't want to start before approval of all you guys.
This PR closes: #444