You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The problem with this piece of code (resources.py):
def obj_update(self, bundle, skip_errors=False, **kwargs):
"""
A ORM-specific implementation of ``obj_update``.
"""
if not bundle.obj or not self.get_bundle_detail_data(bundle):
try:
lookup_kwargs = self.lookup_kwargs_with_identifiers(bundle, kwargs)
except:
# if there is trouble hydrating the data, fall back to just
# using kwargs by itself (usually it only contains a "pk" key
# and this will work fine.
lookup_kwargs = kwargs
try:
bundle.obj = self.obj_get(bundle=bundle, **lookup_kwargs)
except ObjectDoesNotExist:
raise NotFound("A model instance matching the provided arguments could not be found.")
bundle = self.full_hydrate(bundle)
return self.save(bundle, skip_errors=skip_errors)
A large amount of processing, including full_hydrate(), is done before reaching self.authorized_update_detail which will check for the Authorization at that point.
This is very unfortunate because, when writing a custom Authorization resource that lets read calls through, but declines write calls to unauthenticated users (a common pattern), the following is not possible:
This (assuming user is a ForeignKey to a User field) will fail because Authorization.update_detail() has not been called yet to raise Unauthorized and Django will error with ValueError: Cannot assign "<SimpleLazyObject: <django.contrib.auth.models.AnonymousUser object at 0x2f59690>>": "UserProfile.user" must be a "User" instance..
This took me a while to figure out and it would really be nice if things made more sense. hydrate() being processed by users who clearly would not be let through is bad.
The text was updated successfully, but these errors were encountered:
The problem with this piece of code (resources.py):
A large amount of processing, including full_hydrate(), is done before reaching self.authorized_update_detail which will check for the Authorization at that point.
This is very unfortunate because, when writing a custom Authorization resource that lets read calls through, but declines write calls to unauthenticated users (a common pattern), the following is not possible:
This (assuming user is a ForeignKey to a User field) will fail because Authorization.update_detail() has not been called yet to raise Unauthorized and Django will error with
ValueError: Cannot assign "<SimpleLazyObject: <django.contrib.auth.models.AnonymousUser object at 0x2f59690>>": "UserProfile.user" must be a "User" instance.
.This took me a while to figure out and it would really be nice if things made more sense. hydrate() being processed by users who clearly would not be let through is bad.
The text was updated successfully, but these errors were encountered: