Conversation
rwrzesien
requested review from
Karrp,
MartynaAnnaGottschling,
Szymiks,
dybi,
kbeker and
maciejSamerdak
rwrzesien
force-pushed
the
feature-access-permissions
branch
2 times, most recently
from
c870c4a to
872df18
Compare
rwrzesien
changed the title
employees/views.py
Outdated
| ), | ||
| name="dispatch", | ||
| ) | ||
| class ReportDetail(UserIsManagerOfCurrentReportProjectMixin, UserIsAuthorOfCurrentReportMixin, APIView): |
There was a problem hiding this comment.
@rwrzesien I've checked that this isn't working as we assupted. Can this work if this is still rest framework view? It even does not use get_queryset method.
There was a problem hiding this comment.
That's right, but this view is now refactored so it should work just fine.
dybi
left a comment
dybi
left a comment
There was a problem hiding this comment.
Generally, seems like a piece of good work. Still, I would have some suggestions / questions.
employees/views.py
Outdated
| ), | ||
| name="dispatch", | ||
| ) | ||
| class ReportList(APIView, UserIsManagerOfCurrentReportProjectMixin, UserIsAuthorOfCurrentReportMixin): |
There was a problem hiding this comment.
the order of parent classes is different in ReportList and ReportDetail. Is it done on purpose? If yes. please explain why. If not, please keep it unified ;)
There was a problem hiding this comment.
My bad and good catch, should be like in ReportDetail, but still it won't work with APIView which doesn't use get_queryset method, but it is in progress of refactoring to django view by @Szymiks so it can wait for his pull request (or got merged, as it doesn't break anything).
| check_permissions(allowed_user_types=[CustomUser.UserType.EMPLOYEE.name, CustomUser.UserType.ADMIN.name]), | ||
| name="dispatch", | ||
| ) | ||
| class ReportDeleteView(UserIsAuthorOfCurrentReportMixin, DeleteView): |
There was a problem hiding this comment.
Maybe it is because my little experience with django, but this seems a bit complex.
- In first decorator (
login_required) we enforce user to be logged in - In second one (
check_permissions) we check if user is of right type to be able to have access to the resource; if not, we redirect him to login page (?) - Then we modify the
querysetofEmployee, so only his reports are accessible.
Although the usage of mixin seems pretty clever, I am wondering if there's no easier / simpler way to achieve what we want. Don't get me wrong - I am really not sure, just asking :)
There was a problem hiding this comment.
Nothing I can think of. Consider this example:
There is a view class that has get_queryset() method with some complex filtering. If you would like to do this in decorator too, you would have to call and evaluate get_queryset() method of decorated class inside decorator (which sounds ugly already) to figure out if returned object match current user/role.
If this would be added in the view code in form of if, it would require overwriting method in each view in which we would like to add it. Sounds like a lot of work.
I think the mixin approach and limiting queryset is the cleanest and most optimized way to do this. At least of all those which I have thought of, but maybe there is a better way I haven't thought of.
The part I don't like with this solution is that it returns 404 instead of 403, but I think its fair trade-off.
if not, we redirect him to login page (?)
Yes, exactly this is done in this decorator.
There was a problem hiding this comment.
@rwrzesien Ok, I'am convinced, thanks for the explanation :)
| manager_project = ProjectFactory() | ||
| manager_project.managers.add(user) | ||
| # Project without current user as manager. | ||
| ProjectFactory() |
There was a problem hiding this comment.
similarly, I would suggest adding check that we have 2 objects in the DB
rwrzesien
force-pushed
the
feature-access-permissions
branch
2 times, most recently
from
417feb2 to
fd3c9c3
Compare
kbeker
force-pushed
the
feature-access-permissions
branch
from
fd3c9c3 to
2fb7456
Compare
kbeker
force-pushed
the
feature-access-permissions
branch
from
2fb7456 to
100363c
Compare
3 participants
Resolves #45
Resolves #182
Resolves #183