How can I restrict an authenticated user from posting on behalf of someone else?
If I am logged in as
user1 and I am accessing a
POST takes a
recipe_id of the recipe the user wants to submit. How do I ensure that
user1 does not submit
user2's recipe, assuming the
Recipe model has an
owner field on it and I can just compare it to request.user? Should I use a permission class for this or is there a better way? I'm speaking from an backend point of view and not taking into account that the front end would of course filter out the recipes that belong to the user and only show them their own recipes.
There can be two ways. You can filter out queryset or define permission class.
If you override
get_queryset method like this.
class RecipeSubmissionViewSet(...): def get_queryset(self): return Recipe.objects.filter(owner=self.request.user) # you can also use filtration based on action name like this # if self.action == 'update': # return Recipe.objects.filter(owner=self.request.user) # return Recipe.objects.all()
User will get 404 response and will never be able to access objects other than he owns.
Second choice is permission class. You can define custom permission class and check ownership explicitly like this.
from rest_framework.permissions import BasePermission class RecipeSubmissionPermission(BasePermission): def has_object_permission(self, request, view, obj): # you can also check permission here based on action # if view.action == 'update': # pass return request.user.is_authenticated and obj.owner == request.user class RecipeSubmissionViewSet(...): permission_classes=[RecipeSubmissionPermission]
In this case user will get 403 permission error.
If you use both of these methods. 404 will be preferred.
You can use whichever method you want or both of these. Permission class looks more programmatic and structured way of doing it but user will know that object with this id exists but he did not have permission to update it. But if you override queryset, user is not even be able to know if object exists or not thus more secure.
Best practices for sending on behalf of your users, There are several ways to configure email so you can send on behalf The other challenge with this approach is that it requires either When your customer can't fully authenticate their domain for sending Also, while Postmark offers this option, it's not something that's available from all email providers. Posting permissions can only be set for the #general channel. By default, anyone can manage this channel's posting permissions, unless restricted by a Workspace Owner or Admin. Plus plan Posting permissions can be set for any channel, except for channels that are shared with an external organization. By default, anyone can manage a channel's
Are you using the django authentication system? Then you should be able to access
request.user in the views and set the
owner field accordingly.
EDIT: I think I misunderstood the question.
But this could help and Nafees Anwar looks good.
Working on behalf of users, Typically workspace apps help teams accomplish their workplace goals: analyzing data, posting notifications, handling collaborative interactions. You can also grant permissions for a worker to order items and services in one or more legal entities or operating units. Set up permissions for ordering products on behalf of someone else Grant permissions to a preparer to enter purchase requisitions for a worker
Authenticating users | Docs, User does not own the app / Multiple Users - If your app is going to consume Account Activity events on behalf of multiple users, each user must authenticate� Scopes "limit what an application can do on the behalf of a user." They cannot grant privileges the user doesn't already have . For example, if the MyCalApp user doesn't have permission to set up new MyCalApp enterprise accounts, scopes granted to HireMe123 won't ever allow the user to set up new enterprise accounts either.
Permissions Reference - App Development, If you ask for permissions other than the default profile fields, email , or When users log onto your app, they receive a request to grant the The publish_to_groups permission allows your app to post content into a Group on behalf of a person if Provide a way for someone who uses your app to visit another person's� Thank you for posting. I apologize for the delay in response. This functionality is not available. We cannot post to Yammer on behalf of someone. However I found relevant discussion on the Yammer user voice. I request you to post your vote & elaborate the need of this functionality.
Restricting Access to Amazon S3 Content by Using an Origin Access , When your users access your Amazon S3 files through CloudFront, the CloudFront origin access identity gets the files on behalf of your users. If your users� The hope is that even if your identity is compromised, security layers beyond authentication will limit the damage cybercrooks can do. Vance is a freelance writer. He can be reached at jeff
Within Microsoft Teams there are two user roles: owner and member. By default, a user who creates a new team is granted the owner status. In addition, owners and members can have moderator capabilities for a channel (provided that moderation has been set up). If a team is created from an existing Microsoft 365 Group, permissions are inherited.
- For more clarification, can you include your models and views if possible?
- Thanks for the answer. I actually am using the
get_querysetway but what about on a post? What about restricting a user from post another user's recipe? Do I now use a permission class or can I somehow leverage the
- When user do post for updating a recipe
get_querysetwill be automatically used to get
Recipeinstance and all the filtration will be applied. If you are doing update manually (defining some custom actions) you should use
get_objectmethod to get
Recipeinstance you want to update. It will automatically leverage the
get_querysetmethod and return 404 if object is not owned by user.
get_queryset()method has no role while creation of objects. @NafeesAnwar
- @JPG the POST takes a recipe_id of the recipe the user wants to submit I think he is trying to update.
- No I am trying to create.