You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
API keys are useful to identify a client, but the permission system could be more fine-grained by introducing a notion of "scope", i.e. what is the API key allowed to do?
Describe the solution you'd like
Scopes can be assigned via the admin (using a "Scopes" section in the APIKeyModelAdmin), or programmatically:
Like Django's permissions system, the x.y.read, x.y.create, x.y.update and x.y.delete scopes should be created automatically for each model y in each app x.
ScopesMixin: scopes (M2M to Scope) + various helpers (.has_scope(), .has_scopes())
APIKey: add ScopesMixin to the class hierarchy.
Permissions:
Create APIKeyHasScopes permission class which inspects the required_scopes attribute on the view. Scopes in required_scopes are formatted as code:action.
Describe alternatives you've considered
Do not include builtin scopes: it would be cumbersome to have to create them manually, and the cost of creating/storing them is very low.
Custom scope discovery via a model's Meta.api_key_scopes: while it possible to allow extra attributes on Meta (by extending models.options.DEFAULT_NAMES), those extra attributes are not available during migrations (as models are faked at that time), which means custom scopes are not detected as they should be. On the other hand, settings are always available.
Additional context
@LeOntalEs implemented a flavor of this in his fork: tarasira#1
Is your feature request related to a problem? Please describe.
API keys are useful to identify a client, but the permission system could be more fine-grained by introducing a notion of "scope", i.e. what is the API key allowed to do?
Describe the solution you'd like
Scopes can be assigned via the admin (using a "Scopes" section in the
APIKeyModelAdmin
), or programmatically:Assigning a scope to an API key has the effect of granting it access to the views which require this scope, e.g.
Like Django's permissions system, the
x.y.read
,x.y.create
,x.y.update
andx.y.delete
scopes should be created automatically for each modely
in each appx
.Custom scopes can be registered via settings:
Implementation ideas
Models:
Scope
:code*
,verbose_name
,description
ScopesMixin
:scopes
(M2M toScope
) + various helpers (.has_scope()
,.has_scopes()
)APIKey
: addScopesMixin
to the class hierarchy.Permissions:
APIKeyHasScopes
permission class which inspects therequired_scopes
attribute on the view. Scopes inrequired_scopes
are formatted ascode:action
.Describe alternatives you've considered
Meta.api_key_scopes
: while it possible to allow extra attributes onMeta
(by extendingmodels.options.DEFAULT_NAMES
), those extra attributes are not available during migrations (as models are faked at that time), which means custom scopes are not detected as they should be. On the other hand, settings are always available.Additional context
@LeOntalEs implemented a flavor of this in his fork: tarasira#1
Useful inspiration:
The text was updated successfully, but these errors were encountered: