prepend_urls bypasses authentication

[Roarster]

Apologies if what I'm doing here is by design or if I'm just doing things completely wrong but I think using prepend_urls to create a nested resource bypasses the authentication on both the parent and child resource. I've created an example similar to that in the Cookbook and have created a child resource using ApiKey authentication and I'm able to access that despite not passing the correct headers. The parent resource also requires ApiKey authentication.

What I see without authentications headers is:

GET /api/v1/article - 401 as expected
GET /api/v1/article/1/ - 401 as expected
GET /api/v1/article/1/tags - The list of tags is unexpectedly returned.

It seems to me this is incorrect and certainly isn't what I would expect to see.

[joeribekker]

In my experience it's much easier and more elegant to only use the override_urls function and create your own dispatch child method. It's less code, adheres to all your child resource meta properties (including authentication) and then some.

Example:

    def override_urls(self):
        return [
            url(r'^(?P<resource_name>%s)/(?P<pk>\w[\w/-]*)/tags%s$' % (self._meta.resource_name, trailing_slash()), self.wrap_view('dispatch_tags'), name='api_article_tags'),
        ]

    def dispatch_tags(self, request, **kwargs):
        return ArticleTagResource().dispatch('list', request, **kwargs)

This basically lets your ArticleTagResource handle the whole request from /article/1/tags/ as if it was requested as a list-view (change "list" to "detail" to make it behave like detail-view).

[Roarster]

I haven't tried this yet but if it works as you say it'll definitely be an approach for me to take. However, I still think what I've reported here is an issue with Tastypie - basically if you use a technique illustrated in the cookbook authentication can be completely bypassed without the developer even realising.

[heaven00]

i got the same issue and i tried joeribekker's method same results, any idea when this will be fixed? or any workarounds?

[ianawilson]

I like the idea of using Resource.dispatch(), but if you want to do something more complicated than a detail or list view, then it's not really viable.

One solution I've been thinking about is moving some of the heavier lifting from Resource.dispatch() into Resource.wrap_view() so that wrap_view() could be used to arbitrarily wrap any view, while applying all of the authentication, authorization, and throttling rules (possibly the method check too, although more on that below).

I have run into this issue with throttling. My current workaround is to have a decorator which I wrap my custom views in: @apply_throttle. The decorator copies code more or less from Resource.throttle_check() and Resource.log_throttled_access().

It may be most effective for tastypie to have both a more complete wrap_view() (including the above) and decorators (or some other way to selectively apply these things), just in case the developer's intention for using the overrides is to actually get around the normal behavior (eg, if you have an overridden endpoint that needs different throttling or relaxes auth requirements). Decorators would also be a good way to apply specific method checks (GET, POST, etc) to overrides, without having to have that boilerplate at the beginning of your method. I know I've used overrides where all of these would have been useful.

What are everyone's thoughts toward that kind of solution? I'm definitely interested in working on this, but I'm pretty strapped for time right now.

[enyachoke]

I have been struggling with this but I found and answer on SO.
http://stackoverflow.com/questions/11827368/tastypie-override-urls-ignores-authentication-and-authorization

[smesdaghi]

This is an old thread but since the issues is still open and ranked high in my search... a call to
self.is_authenticated(request) in the fist line of the handler will take care of the issue. tested with tastypie 0.11 & 0.12.

[SeanHayes]

The cookbook now recommends using self.wrap_view() inside prepend_urls(), closing this issue.

[servomac]

Event with wrap_view, I needed self.is_authenticated(request) in the handler method.