New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prepend_urls bypasses authentication #641
Comments
In my experience it's much easier and more elegant to only use the override_urls function and create your own dispatch child method. It's less code, adheres to all your child resource meta properties (including authentication) and then some. Example:
This basically lets your ArticleTagResource handle the whole request from /article/1/tags/ as if it was requested as a list-view (change "list" to "detail" to make it behave like detail-view). |
I haven't tried this yet but if it works as you say it'll definitely be an approach for me to take. However, I still think what I've reported here is an issue with Tastypie - basically if you use a technique illustrated in the cookbook authentication can be completely bypassed without the developer even realising. |
i got the same issue and i tried joeribekker's method same results, any idea when this will be fixed? or any workarounds? |
I like the idea of using One solution I've been thinking about is moving some of the heavier lifting from I have run into this issue with throttling. My current workaround is to have a decorator which I wrap my custom views in: It may be most effective for tastypie to have both a more complete What are everyone's thoughts toward that kind of solution? I'm definitely interested in working on this, but I'm pretty strapped for time right now. |
I have been struggling with this but I found and answer on SO. |
This is an old thread but since the issues is still open and ranked high in my search... a call to |
The cookbook now recommends using self.wrap_view() inside prepend_urls(), closing this issue. |
Event with wrap_view, I needed |
Apologies if what I'm doing here is by design or if I'm just doing things completely wrong but I think using prepend_urls to create a nested resource bypasses the authentication on both the parent and child resource. I've created an example similar to that in the Cookbook and have created a child resource using ApiKey authentication and I'm able to access that despite not passing the correct headers. The parent resource also requires ApiKey authentication.
What I see without authentications headers is:
GET /api/v1/article - 401 as expected
GET /api/v1/article/1/ - 401 as expected
GET /api/v1/article/1/tags - The list of tags is unexpectedly returned.
It seems to me this is incorrect and certainly isn't what I would expect to see.
The text was updated successfully, but these errors were encountered: