Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tastypie - Allow read-only perms for unauthenticated users while letting authorized write permissions

Tags:

django

django-authentication

tastypie

I am using Tastypie 0.9.11 and I want to have unauthenticated users be allowed read-only permissions to the API while on the same time, if a user authenticates with an API Key authentication, that user can perform add/change/delete operations on those same models.

Using API Key Authentication + Django Authorization doesn't satisfy requirement 1 (unauthenticated users can't access the API at all). Using No authentication doesn't let users authenticates with an API key (which doesn't satisfy requirement 2).

I bet there is a simple way to achieve this behaviour, please help.

Many thanks, Yuval Cohen

like image 358
Yuval Cohen Avatar asked Sep 03 '12 13:09

Yuval Cohen

1 Answers

There are two things which you need to consider. Authentication and authorization.

First you need to authenticate all users no matter the API key if the request method is GET, for all other methods use the ApiKeyAuthentication.

Now, all authenticated users are subject to authorization. Here you also need to make sure that GET requests are always allowed. Something like this should get you started:

from tastypie.resources import ModelResource
from tastypie.authentication import ApiKeyAuthentication
from tastypie.authorization import DjangoAuthorization

class MyAuthentication(ApiKeyAuthentication):
    """
    Authenticates everyone if the request is GET otherwise performs
    ApiKeyAuthentication.
    """

    def is_authenticated(self, request, **kwargs):
        if request.method == 'GET':
            return True
        return super(MyAuthentication, self).is_authenticated(request, **kwargs)

class MyAuthorization(DjangoAuthorization)
    """
    Authorizes every authenticated user to perform GET, for all others
    performs DjangoAuthorization.
    """

    def is_authorized(self, request, object=None):
        if request.method == 'GET':
            return True
        else:
            return super(MyAuthorization, self).is_authorized(request, object)

class MyResource(ModelResource):

    class Meta:
        authentication = MyAuthentication()
        authorization = MyAuthorization()

So basically your approach for using ApiKeyAuthentication and DjangoAuthorization only lacked special treatment for GET requests.

like image 86
kgr Avatar answered Sep 28 '22 11:09

kgr
Sign in to Comment

Related questions

Django - How to setup separate media/static server on shared hosting?
Django forms - append to class meta exclude and widgets
Django: base model signal handler doesn't fire
django escapejs and simplejson
Deploying Django on an apache server
Multiple django apps in one view
Django CSS Background Image using STATIC_URL
Django override auth_views.logout
In Django, how do you pass a ForeignKey into an instance of a Model?
trigger function after returning HttpResponse from django view
Django: re-use login_required decorator inside other decorators
Configuring django-compressor with remote storage (django-storage - amazon s3)
Mocking Django Model and save()
Django email backend with local smtp
generating a file with django to download with javascript/jQuery
Is it possible to pass a dictionary with extraneous elements to a Django object.create method?
How do I specify an index for a TextField in Django with a MySql backend?
Django @staticmethod sum of two fields
Adding Simple Custom Field to Django -- How to Write South Introspection Rules
Class-based views for M2M relationship with intermediate model

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!