Reputation: 4056
Tastypie - How can authorize only the owner to edit a resource
I am creating my first API with tastypie and I would like to know how can I set that only owners can edit it's own resources.
Should I?
- create a basic authentication like in this example
- check if the request.user is the same of the resource.owner
- check if the request is a PUT
Is this the best way to fo it?
Thanks!
Upvotes: 1
Views: 1464
Answers (1)
Reputation: 9948
Yes, what you described is an ok way to do it. Alternatively you could manipulate methods involved in updates: put_detail() and obj_update() but your idea is probably a bit cleaner as after all what you try to do is obviosuly authorization. Therefore the code belongs in the Authorization class not in the methods which actually update the objects as those shouldn't even be called when the user is not authorized to update given resource.
You may also want to look at Tastypie Cookbok which now has a "recipe" for creating "per-user" resoures which also describes how to list resources belonging to a given user only.
Upvotes: 1
Related Questions
- tastypie PUT error unauthorized 401 when edit related fields
- Tastypie limit user to create more resources
- tastypie - how to set authorization to allow PUT and POST for all
- Tastypie - Allow read-only perms for unauthenticated users while letting authorized write permissions
- how to limit GET access to resources using DjangoAuthorization() in tastypie
- Django Tastypie Record-Level Authorization
- Django permission management
- tastypie: how to add permissions to a user?
- Tasypie, how to prevent modification on a resource linked by a ForeignKey
- need an example of doing authorization using django-tastypie