Users can see every API page since querysets are filtered and modifications are protected

This commit is contained in:
Yohann D'ANELLO 2020-09-09 22:27:07 +02:00
parent 0f1f3b9560
commit 6a0dc4cb10
1 changed files with 2 additions and 1 deletions

View File

@ -14,8 +14,9 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
This is a simple patch of this class that controls view access. This is a simple patch of this class that controls view access.
""" """
# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
perms_map = { perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'], 'GET': [], # ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': [], 'OPTIONS': [],
'HEAD': [], 'HEAD': [],
'POST': ['%(app_label)s.add_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'],