Feature(s) impacted
- HasMany Smart Relationship documentation
Observed behavior
The example code provided in the documentation for creating a HasMany Smart Relationship in Django instructs customers to unknowingly implement an unauthenticated endpoint in their codebase.
from django.http import JsonResponse
from django.views import generic
from django_forest.resources.utils.queryset import PaginationMixin
from django_forest.utils.schema.json_api_schema import JsonApiSchema
class BuyersView(PaginationMixin, generic.ListView):
def get(self, request, pk, *args, **kwargs):
params = request.GET.dict()
# queryset
queryset = Customer.objects.filter(order__product_id=pk).distinct()
# pagination
queryset = self.get_pagination(params, queryset)
# json api serializer
Schema = JsonApiSchema.get('app_customer')
data = Schema().dump(queryset, many=True)
return JsonResponse(data, safe=False)
ListView
and PaginationMixin
classes do not implement any authentication, so this view exposes whatever data is returned in the response to unauthenticated users.
Expected behavior
Either the documentation should explicitly call out that fact that this example creates an unauthenticated endpoint or the example should be updated to force authentication. For example:
from django.http import JsonResponse
from django.views import generic
from django_forest.resources.utils.queryset import PaginationMixin
from django_forest.utils.schema.json_api_schema import JsonApiSchema
from django_forest.utils.views.base import BaseView
class BuyersView(BaseView, PaginationMixin, generic.ListView):
def get(self, request, pk, *args, **kwargs):
if not self.is_authenticated(request):
return HttpResponse(status=403)
params = request.GET.dict()
# queryset
queryset = Customer.objects.filter(order__product_id=pk).distinct()
# pagination
queryset = self.get_pagination(params, queryset)
# json api serializer
Schema = JsonApiSchema.get('app_customer')
data = Schema().dump(queryset, many=True)
return JsonResponse(data, safe=False)`
Context
- Project name: N/A
- Team name: N/A
- Environment name: N/A
- Agent type & version: django-forestadmin 1.2.0
- Recent changes made on your end if any: N/A