You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a bug but rather a question.
I was wondering what's the best way to allow authorized but unauthenticated API users to view the documentation for certain endpoints.
In my case, I need API users with the HasAdminAPIKey permission to be authorized to see the schema for user endpoints (which require the IsAuthenticated permission)
My permission_classes for my UserViewSet looked like this: permission_classes = [IsAuthenticated & (HasAdminAPIKey | IsDebugOn)], and now I've changed it to permission_classes = [(HasAdminAPIKey | IsDebugOn) & (IsAuthenticated | IsDocsRequest)]
This makes it possible for unauthenticated API users to access the view in the docs, but obviously not outside of them.
The issue is that this is not a secure way to check if the request is coming from drf-spectacular, as theoretically an API user with the HasAdminAPIKey permission could simply add the required referer to his headers...
So, what do you think is the best way to check if a request is coming from drf-spectacular in IsDocsRequest? Or is there another approach I'm missing?
Thank you for the help
The text was updated successfully, but these errors were encountered:
This is not a bug but rather a question.
I was wondering what's the best way to allow authorized but unauthenticated API users to view the documentation for certain endpoints.
In my case, I need API users with the
HasAdminAPIKey
permission to be authorized to see the schema for user endpoints (which require theIsAuthenticated
permission)My
permission_classes
for myUserViewSet
looked like this:permission_classes = [IsAuthenticated & (HasAdminAPIKey | IsDebugOn)]
, and now I've changed it topermission_classes = [(HasAdminAPIKey | IsDebugOn) & (IsAuthenticated | IsDocsRequest)]
And this is the IsDocsRequest permission:
This makes it possible for unauthenticated API users to access the view in the docs, but obviously not outside of them.
The issue is that this is not a secure way to check if the request is coming from
drf-spectacular
, as theoretically an API user with theHasAdminAPIKey
permission could simply add the required referer to his headers...So, what do you think is the best way to check if a request is coming from
drf-spectacular
inIsDocsRequest
? Or is there another approach I'm missing?Thank you for the help
The text was updated successfully, but these errors were encountered: