CODEWITHSUNDEEP
djangotastypie
Pierre Lacave
Pierre Lacave

Reputation: 2690

Tasypie, how to prevent modification on a resource linked by a ForeignKey

I have 2 resources that are linked by a foreignKey

I would like to make the AUser resource read-only when creating/modifying AJob

class AUser(ModelResource):
    class Meta:
        queryset = User.objects.all()
        resource_name = 'user'
        authentication = SessionAuthentication()
        authorization = Authorization()
        excludes = ['email', 'password', 'is_superuser', 'is_staff', 'is_active', 'date_joined', 'last_login']
    def can_update(self):
        return False  
    def can_create(self):
        return False
    def can_delete(self):
        return False
    def apply_authorization_limits(self, request, object_list):
        return object_list.filter(pk=request.user.pk)

class AJob(ModelResource):
    user = fields.ForeignKey( AUser, 'user', full=True)
    paused = fields.BooleanField(attribute='isPaused', readonly=True)
    hasRules = fields.BooleanField(attribute='hasRules', readonly=True)
    class Meta:
        queryset = Job.objects.all()
        resource_name = 'job'
        authentication = SessionAuthentication()
        api_name = 'v1'
        authorization = Authorization()
        allowed_methods = ['get', 'post', 'delete']

    def obj_create(self, bundle, request=None, **kwargs):
        return super(AJob, self).obj_create(bundle, request, user=request.user)

    def apply_authorization_limits(self, request, object_list):
        return object_list.filter(user=request.user)

I tried adding readonly=True to the foreignKey directly but then it's ignored when hydrating and get a constraint violation because user is null

if in my POST AJob request I append

"user":{"id":"5","is_staff":false}

5 being the current user

the User model get updated, removing the admin role

it seems that tastypie when doing save_related does not check any authorization

How can I make this User resource read-only ?

I am using tastypie v0.9.12-alpha

Upvotes: 0

Views: 189

Answers (1)

Ania Warzecha
Ania Warzecha

Reputation: 1796

You can modify the save_related method inside the AJob resource and define it not to modify the AUser. You can define the ForeignKey do be readonly as you wanted to but then you have to supply the dehydrate_user method and inside get the value that you want to return. It will be something like return bundle['data'].user.

Upvotes: 2

Related Questions