Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User-Restricted Resource Access for media endpoint? #1049

jim8786453 opened this issue Aug 20, 2017 · 2 comments

User-Restricted Resource Access for media endpoint? #1049

jim8786453 opened this issue Aug 20, 2017 · 2 comments


Copy link

@jim8786453 jim8786453 commented Aug 20, 2017

I'm using the User-Restricted Resource Access feature by setting the AUTH_FIELD setting. I've also enabled the media endpoint for files uploaded as part of one of my apps endpoints.

But I noticed that users have access to each others files when using the media endpoint. (They can't access the resource the file is connected to because that endpoint is respecting the AUTH_FIELD setting).

I'd like for users only to be able to access media linked to resources they have access to. Is it feasible/desirable that this should be a part of Eve? If not does anyone have any advice how I could implement something myself to do this using the hook system or a custom Flask route maybe?

Copy link

@antongisli antongisli commented Nov 4, 2017

I just raised a new issue on this (trying to raise more attention as i think this is a fairly big issue). Thinking about it, maybe it is possible to do a pre-check:

  • look up the associated resource entry for the media resource being asked for
  • look up the user_id associated with the resource
  • run authentication test on that user_id and pass/fail the request (don't know if that is possible or not).
Copy link

@nicolaiarocci nicolaiarocci commented Nov 9, 2017

Same as #1083

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants