Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tighten up permissions #23

Open
dleehr opened this issue Apr 12, 2016 · 2 comments
Open

Tighten up permissions #23

dleehr opened this issue Apr 12, 2016 · 2 comments

Comments

@dleehr
Copy link
Member

dleehr commented Apr 12, 2016

Currently, any logged in user can view any user's registered API keys and handover tokens. Implement object-level permissions with django-guaridan to prevent this https://django-guardian.readthedocs.org/en/stable/
@dleehr dleehr mentioned this issue Apr 12, 2016
Closed
@dleehr
Copy link
Member Author

dleehr commented Apr 29, 2016

This is slightly improved in #36. API access now requires User.is_staff aka admin access. But we should still implement object-level permissions to prevent one staff user from accessing other users api keys.

@dleehr
Copy link
Member Author

dleehr commented Dec 5, 2016

Also, since email templates have been added and linked to groups, it makes sense to limit these permissions based on groups

e.g. a user in group xyz should be able to view all deliveries for group xyz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dleehr