feat(Proof): improve the permission strategy #603
Conversation
- allow anonymous proof upload (a new proof.anonymous field tracks which proof was uploaded by an anonymous user) - allow to retrieve and list all proofs, irrespective of your authentication status - allow users to add a price to a proof they don't own - allow moderators to update/delete a proof Tracking history for the proof table is meant to be made in a future PR
raphodn
changed the title
| @@ -463,12 +463,6 @@ def clean(self, *args, **kwargs): | |||
| ) | |||
|
|
|||
| if proof: | |||
| if proof.owner != self.owner: | |||
There was a problem hiding this comment.
we should not allow users to add prices on proofs they do not own such as RECEIPTs or GDPR_REQUESTs or SHOP_IMPORTs. It should only be possible for PRICE_TAGs
| @@ -33,9 +33,14 @@ class Meta: | |||
| verbose_name = "User" | |||
| verbose_name_plural = "Users" | |||
|
|
|||
| @property | |||
There was a problem hiding this comment.
@raphodn This is important addition, there was a bug here, because we just checked that the User instance had a is_authenticated method when doing if user.is_authenticated (which is always true)
There was a problem hiding this comment.
this requires a dedicated "fix" PR 🙏
and to be tested, because it's probably here for a reason ? (that I can't remember, most likely because of our custom User model & auth) 🤔
There was a problem hiding this comment.
The method is here because we use it during proof upload. It was a hidden bug, as we used to block all non authenticated requests (but not anymore), so the user was always authenticated.
allow anonymous proof upload (a new proof.anonymous field tracks which proof was uploaded by an anonymous user)allow to retrieve and list all proofs, irrespective of your authentication statusallow users to add a price to a proof they don't ownTracking history for the proof table is meant to be made in a future PR