Add permissions check to block diagram API#61
Conversation
cabarnes
commented
Apr 30, 2017
- Requires the user to be logged in to access the block diagram API.
- User can only access the user's block diagrams.
- Any superuser accounts can access all block diagrams through the API.
- Sets user to the logged in user that created the block diagram.
|
What do you think of these tweaks?
Being able to read all other users' block diagrams will make it easier for us in the future to make the "clone" function, where a user makes his own copy of somebody else's block diagram. Thoughts? |
|
@aninternetof So, would all block diagrams be publicly viewable or would the user have control over which are shared? |
|
I vote for all block diagrams being publicly viewable. I believe that's what Scratch does -- encourage (force) sharing. |
|
Then they can buy premium to have |
All users see all block diagrams. A user can only change the user's block diagrams.
| user = self.request.user | ||
| serializer.save(user=user) | ||
|
|
||
| def perform_update(self, serializer): |
There was a problem hiding this comment.
Does this let a superuser update anyone's block diagram?
There was a problem hiding this comment.
No, it won't. I wasn't sure if there would really be a use for it. I could change the if statement to also check for superuser if so.
There was a problem hiding this comment.
Sounds good -- let's leave it out.