Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Missing permission checks in RelatedMixin views
See original GitHub issueNo object level or model level permissions appear to be checked for related models in RelatedMixin views.
Expected behavior: The related fields should be empty in a response object if the user doesn’t have view permission to the related field. Alternatively, if a response must render the related object, a permissions error should be raised.
Observed behavior: Currently, if the user has permission for a model but not related models (e.g. via a foreign key relation), they are still able to view the related object if a RelatedMixin view’s serializer has a ResourceRelatedField. This seems to merit at least some documentation warning users about the potential for leaking data, but preferably this issue could be fixed by enabling permissions checking.
Reproducing the issue requires a project that checks that a user has read (or “view”) permissions for models they try to access (e.g. using extended versions of DjangoObjectPermissions and DjangoModelPermissions classes mentioned in the django-rest-framework permissions documentation). In such a project, for any RelatedMixin view that uses a serializer with a ResourceRelatedField, grant the user permission to the serializer’s model object, but do not grant the user access to the related model. If the user requests the object, they will still be able to access the related field. I’m happy to add a test case for this issue.
Perhaps object level or even model level permissions checking is out of scope for the django-rest-framework-json-api project, but it seems like both should be supported. After all, django-rest-framework supports and advertises both via the DjangoObjectPermissions and DjangoModelPermissions classes. In a project I’m working on, we use django-guardian with a similar class to check object-level permissions. Perhaps I can override RelatedMixin.get_related_instance() in the meantime as a stopgap solution, but a solution via configuration flag or a default in this library would be preferable.
Best, Luc
Issue Analytics
- State:
- Created 5 years ago
- Comments:18 (18 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It is called in
get_object. It will not help. Initially,RelatedMixinwas designed just to return related entities based on parent’s permissions. If you need some customer permissions, I think best way is have the related entity on its own viewset with its own permission. In other words if you need permissions on/api/course/1/items/different from permissions on/api/course/1/you just need to replace in our code:with
and check permissions in the CourseItemViewSet.
Also, I’ve created a small PR that probably handles some specific permissions for related entities. Probably somebody will find it helpful.
As there hasn’t been any feedback I am closing this issue. Please comment though if you think this issue should remain open.