Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role Related Access Control #467

Closed
wants to merge 2 commits into from
Closed

Role Related Access Control #467

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b164104
endpoint returning logged in user's role written
ArslanArdavic Nov 14, 2023
9f3c8d3
function returning user role from request created.
ArslanArdavic Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions project/backend/api/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,20 @@

# Create your views here.

def get_user_role_from_request(self, request):
user = User.objects.get(id=request.user.id)
reviewer = Reviewer.objects.filter(user=user)
cont = Contributor.objects.filter(user=user)
basic = BasicUser.objects.filter(user=user)
if reviewer.count() != 0:
return "REVIEWER"
elif cont.count() != 0:
return "CONTRIBUTOR"
elif basic.count() != 0:
return "BASICUSER"
else:
return None
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

get_user_role_from_request is useful for the implementations with the methods. however we need some additional mechanisms for the apis implemented with django rest framework. for example, in ChangeProfileSettingsView class below, we use a list called "permissions" for checking the permissions. this is a proper and easy way for such implementations. checking the authorization in the methods can be hard and may require additional implementations for such api implementations. for example, some of them doesn't even implemented with the methods and there is no other way of authorization checks. can you add some additional mechanisms for that purpose?

I have implemented one in my last pr and you can check it by clicking here

It is really simple and easy to implement. btw, you can also call this method in the classes' has_permission method too.


# Class based view to register user
class SignUpAPIView(generics.CreateAPIView):
permission_classes = (AllowAny,)
Expand Down