-
-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added api_view and throttle_class decorators to all views to throttle… #1012
Conversation
… back-end api calls
Closes #1009 |
civictechprojects/views.py
Outdated
@@ -79,6 +79,8 @@ def group_tags_counts(request): | |||
|
|||
# TODO: Pass csrf token in ajax call so we can check for it | |||
@csrf_exempt | |||
@api_view() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need the @api_view()
lines? If so, then POST methods like group_create need to be called with 'POST', because otherwise it defaults to just allowing GET.
@api_view() | |
@api_view(['POST']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I could find online, the @throttle_classes() decorator is meant to be used in conjunction with the @api_view() decorator and may not function correctly without it. I reviewed each of the views and updated the methods in the api_view() decorators, hopefully appropriately!
civictechprojects/views.py
Outdated
@@ -139,6 +147,8 @@ def get_group(request, group_id): | |||
return HttpResponse(status=404) | |||
|
|||
|
|||
@api_view('GET', 'POST') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@api_view('GET', 'POST') | |
@api_view(['GET', 'POST']) |
Page is failing to load with error message:
File "/app/civictechprojects/views.py", line 150, in <module>
@api_view('GET', 'POST')
TypeError: api_view() takes from 0 to 1 positional arguments but 2 were given
civictechprojects/views.py
Outdated
@@ -110,6 +114,8 @@ def group_edit(request, group_id): | |||
|
|||
# TODO: Pass csrf token in ajax call so we can check for it | |||
@csrf_exempt | |||
@api_view(['GET', 'DELETE']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We actually use POST here, when we should have used DELETE, same with the other deletion operations.
@api_view(['GET', 'DELETE']) | |
@api_view(['GET', 'POST']) |
civictechprojects/views.py
Outdated
@@ -644,6 +704,8 @@ def presign_project_thumbnail_upload(request): | |||
raw_key=s3_key, file_name=file_name, file_type=file_type, acl="public-read") | |||
|
|||
# TODO: Replace with is_co_owner_or_owner | |||
@api_view() | |||
@throttle_classes([AnonRateThrottle, UserRateThrottle]) | |||
def volunteer_operation_is_authorized(request, volunteer_relation): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Throttling not needed here, this is a helper method (that should live in a file with other helper methods).
civictechprojects/views.py
Outdated
@api_view(['GET', 'POST']) | ||
@throttle_classes([AnonRateThrottle, UserRateThrottle]) | ||
def group_delete(request, group_id): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This operation is failing, and I'm not sure why. It's definitely being sent with POST.
civictechprojects/views.py
Outdated
@api_view(['GET', 'POST']) | ||
@throttle_classes([AnonRateThrottle, UserRateThrottle]) | ||
def project_delete(request, project_id): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This operation also failing for unknown reasons.
@kennzi I think adding I added tests to some django views to ensure that throttling is working as expected. However, now that every view becomes Also important - One thing left is modifying another js function to send CSRF token in headers - |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Props on fixing our long-standing CSRF issues 🥇
… back-end api calls