Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API V3: change permissions to allow anonymous access to public resources #11485

Merged
merged 5 commits into from
Aug 5, 2024
Merged

API V3: change permissions to allow anonymous access to public resources #11485

merged 5 commits into from
Aug 5, 2024

Conversation

stsewd
Copy link
Member

@stsewd stsewd commented Jul 18, 2024
edited
Loading

  • No more "global" permission class, each view/action defines the permissions they need.
  • No more querysets based on the view name, we just call .api to filter resources by the current user, if anything extra is needed, each view can override the queryset.
  • Lots of tests

Ref readthedocs/ext-theme#154

@stsewd stsewd marked this pull request as ready for review July 23, 2024 02:18
@stsewd stsewd requested a review from a team as a code owner July 23, 2024 02:18
@stsewd stsewd requested a review from humitos July 23, 2024 02:18
stsewd
stsewd commented Jul 23, 2024
View reviewed changes
readthedocs/api/v3/views.py
Comment on lines +154 to +155
if self.name:
return self.name
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is a name, that should always take precedence.

https://github.com/encode/django-rest-framework/blob/8e304e1adbb0f99f91a15ed3abd379104bba3b89/rest_framework/views.py#L29-L32

Otherwise, we end with something like Projects None

https://app.readthedocs.org/api/v3/projects/stsewd-demo/superproject/

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran into this while working on sync-versions, and glad to see it fixed :)

ericholscher
ericholscher approved these changes Aug 1, 2024
View reviewed changes
Copy link
Member

@ericholscher ericholscher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a great refactor to me. I had a few questions, but overall it looks solid.

readthedocs/api/v3/views.py
Comment on lines +154 to +155
if self.name:
return self.name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ran into this while working on sync-versions, and glad to see it fixed :)

readthedocs/api/v3/views.py
# Any other action is read-only.
else:
permission_classes = [ReadOnlyPermission]
return [permission() for permission in permission_classes]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that you need to instantiate them.

readthedocs/api/v3/views.py
@@ -238,7 +252,7 @@ class SubprojectRelationshipViewSet(
model = ProjectRelationship
lookup_field = "alias"
lookup_url_kwarg = "alias_slug"
queryset = ProjectRelationship.objects.all()
permission_classes = [ReadOnlyPermission | (IsAuthenticated & IsProjectAdmin)]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this defined when we have the permissions setup in the APIv3Settings object?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APIv3Settings no longer has a default permission class, each view needs to explicitly declare the permissions. This is since each view requires different permissions.

@ericholscher ericholscher mentioned this pull request Aug 1, 2024
Merged
@stsewd
Merge branch 'main' into api-v3-change-permissions
59699ae
@stsewd
Fix tests
1cfdf6c 
get_permissions overrides all declarations of permissions, even in
actions
@stsewd stsewd merged commit 6167db8 into main Aug 5, 2024
5 of 6 checks passed
@stsewd stsewd deleted the api-v3-change-permissions branch August 5, 2024 16:05
@stsewd stsewd mentioned this pull request Aug 5, 2024
Open
This was referenced Aug 6, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericholscher ericholscher ericholscher approved these changes

@humitos humitos Awaiting requested review from humitos humitos is a code owner automatically assigned from readthedocs/backend

Assignees

@stsewd stsewd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stsewd @ericholscher