Create a HasMany Smart relationship example for Django creates unauthenticated endpoint

Help me!
1

Feature(s) impacted

  • HasMany Smart Relationship documentation

Observed behavior

The example code provided in the documentation for creating a HasMany Smart Relationship in Django instructs customers to unknowingly implement an unauthenticated endpoint in their codebase.

from django.http import JsonResponse
from django.views import generic

from django_forest.resources.utils.queryset import PaginationMixin
from django_forest.utils.schema.json_api_schema import JsonApiSchema

class BuyersView(PaginationMixin, generic.ListView):
    def get(self, request, pk, *args, **kwargs):
        params = request.GET.dict()

        # queryset
        queryset = Customer.objects.filter(order__product_id=pk).distinct()

        # pagination
        queryset = self.get_pagination(params, queryset)

        # json api serializer
        Schema = JsonApiSchema.get('app_customer')
        data = Schema().dump(queryset, many=True)

        return JsonResponse(data, safe=False)

ListView and PaginationMixin classes do not implement any authentication, so this view exposes whatever data is returned in the response to unauthenticated users.

Expected behavior

Either the documentation should explicitly call out that fact that this example creates an unauthenticated endpoint or the example should be updated to force authentication. For example:

from django.http import JsonResponse
from django.views import generic

from django_forest.resources.utils.queryset import PaginationMixin
from django_forest.utils.schema.json_api_schema import JsonApiSchema
from django_forest.utils.views.base import BaseView

class BuyersView(BaseView, PaginationMixin, generic.ListView):
    def get(self, request, pk, *args, **kwargs):
        if not self.is_authenticated(request):
            return HttpResponse(status=403)

        params = request.GET.dict()

        # queryset
        queryset = Customer.objects.filter(order__product_id=pk).distinct()

        # pagination
        queryset = self.get_pagination(params, queryset)

        # json api serializer
        Schema = JsonApiSchema.get('app_customer')
        data = Schema().dump(queryset, many=True)

        return JsonResponse(data, safe=False)`

Context

  • Project name: N/A
  • Team name: N/A
  • Environment name: N/A
  • Agent type & version: django-forestadmin 1.2.0
  • Recent changes made on your end if any: N/A
2

Hi @russell,

Thank’s for the report.
You’re right,
I’ll update the documentation soon to explain how to add the authentication process.