How can I restrict an authenticated user from posting on behalf of someone else?

Related searches

If I am logged in as user1 and I am accessing a ViewSet called RecipeSubmissionViewSet, the POST takes a recipe_id of the recipe the user wants to submit. How do I ensure that user1 does not submit user2's recipe, assuming the Recipe model has an owner field on it and I can just compare it to request.user? Should I use a permission class for this or is there a better way? I'm speaking from an backend point of view and not taking into account that the front end would of course filter out the recipes that belong to the user and only show them their own recipes.

There can be two ways. You can filter out queryset or define permission class.

If you override get_queryset method like this.

class RecipeSubmissionViewSet(...):
    def get_queryset(self):
        return Recipe.objects.filter(owner=self.request.user)
        # you can also use filtration based on action name like this

        # if self.action == 'update':
        #      return Recipe.objects.filter(owner=self.request.user)
        # return Recipe.objects.all()

User will get 404 response and will never be able to access objects other than he owns.

Second choice is permission class. You can define custom permission class and check ownership explicitly like this.

from rest_framework.permissions import BasePermission

class RecipeSubmissionPermission(BasePermission):
    def has_object_permission(self, request, view, obj):
        # you can also check permission here based on action
        # if view.action == 'update':
        #    pass
        return request.user.is_authenticated and obj.owner == request.user




class RecipeSubmissionViewSet(...):
    permission_classes=[RecipeSubmissionPermission]

In this case user will get 403 permission error.

If you use both of these methods. 404 will be preferred.

You can use whichever method you want or both of these. Permission class looks more programmatic and structured way of doing it but user will know that object with this id exists but he did not have permission to update it. But if you override queryset, user is not even be able to know if object exists or not thus more secure.

Best practices for sending on behalf of your users, There are several ways to configure email so you can send on behalf The other challenge with this approach is that it requires either When your customer can't fully authenticate their domain for sending Also, while Postmark offers this option, it's not something that's available from all email providers. Posting permissions can only be set for the #general channel. By default, anyone can manage this channel's posting permissions, unless restricted by a Workspace Owner or Admin. Plus plan Posting permissions can be set for any channel, except for channels that are shared with an external organization. By default, anyone can manage a channel's

Are you using the django authentication system? Then you should be able to access request.user in the views and set the owner field accordingly.

EDIT: I think I misunderstood the question.

But this could help and Nafees Anwar looks good.

Working on behalf of users, Typically workspace apps help teams accomplish their workplace goals: analyzing data, posting notifications, handling collaborative interactions. You can also grant permissions for a worker to order items and services in one or more legal entities or operating units. Set up permissions for ordering products on behalf of someone else Grant permissions to a preparer to enter purchase requisitions for a worker

Authenticating users | Docs, User does not own the app / Multiple Users - If your app is going to consume Account Activity events on behalf of multiple users, each user must authenticate� Scopes "limit what an application can do on the behalf of a user." They cannot grant privileges the user doesn't already have . For example, if the MyCalApp user doesn't have permission to set up new MyCalApp enterprise accounts, scopes granted to HireMe123 won't ever allow the user to set up new enterprise accounts either.

Permissions Reference - App Development, If you ask for permissions other than the default profile fields, email , or When users log onto your app, they receive a request to grant the The publish_to_groups permission allows your app to post content into a Group on behalf of a person if Provide a way for someone who uses your app to visit another person's� Thank you for posting. I apologize for the delay in response. This functionality is not available. We cannot post to Yammer on behalf of someone. However I found relevant discussion on the Yammer user voice. I request you to post your vote & elaborate the need of this functionality.

Restricting Access to Amazon S3 Content by Using an Origin Access , When your users access your Amazon S3 files through CloudFront, the CloudFront origin access identity gets the files on behalf of your users. If your users� The hope is that even if your identity is compromised, security layers beyond authentication will limit the damage cybercrooks can do. Vance is a freelance writer. He can be reached at jeff

Within Microsoft Teams there are two user roles: owner and member. By default, a user who creates a new team is granted the owner status. In addition, owners and members can have moderator capabilities for a channel (provided that moderation has been set up). If a team is created from an existing Microsoft 365 Group, permissions are inherited.

Comments
  • For more clarification, can you include your models and views if possible?
  • Thanks for the answer. I actually am using the get_queryset way but what about on a post? What about restricting a user from post another user's recipe? Do I now use a permission class or can I somehow leverage the get_queryset in a POST?
  • When user do post for updating a recipe get_queryset will be automatically used to get Recipe instance and all the filtration will be applied. If you are doing update manually (defining some custom actions) you should use get_object method to get Recipe instance you want to update. It will automatically leverage the get_queryset method and return 404 if object is not owned by user.
  • get_queryset() method has no role while creation of objects. @NafeesAnwar
  • @JPG the POST takes a recipe_id of the recipe the user wants to submit I think he is trying to update.
  • No I am trying to create.