[Answer]-Limiting data using tasty pie authorization

by

1👍

For question 1: On your UserResource you need to overwrite the get_object_list method so it returns a filtered queryset like this:

def get_object_list(self, request):
    return super(UserResource, self).get_object_list(request).filter(username=request.user)

For question 2: You need to use prepend_urls to add your login/logout endpoints by hand and call the proper django login/logout functions like this:

class UserResource(ModelResource):
    class Meta:
        queryset = User.objects.all()
        resource_name = 'user'
        excludes = ['email', 'password', 'is_active', 'is_staff', 'is_superuser']
        authentication = SessionAuthentication()

    def get_object_list(self, request):
        return super(UserResource, self).get_object_list(request).filter(username=request.user)

    def prepend_urls(self):
        return [
            url(r"^(?P<resource_name>%s)/login%s$" %
                (self._meta.resource_name, trailing_slash()),
                self.wrap_view('login_user'), name="api_login"),
            url(r'^(?P<resource_name>%s)/logout%s$' %
                (self._meta.resource_name, trailing_slash()),
                self.wrap_view('logout_user'), name='api_logout'),
        ]

    def login_user(self, request, **kwargs):
        self.method_check(request, allowed=['post'])
        data = self.deserialize(request, request.body)
        user = authenticate(username=data.get('username'), password=data.get('password'))
        if user:
            login(request, user)
            return self.create_response(request, {'success': True})
        return self.create_response(request, {'success': False})

    def logout_user(self, request, **kwargs):
        self.method_check(request, allowed=['post'])
        logout(request)
        return self.create_response(request, {'success': True})

So basically is:

  1. Add “Fixed” urls to your resources
  2. Link them to your functions
  3. Do the proper loging/logout from Django
  4. Return a response in your functions

This Resource returns properly and sets the proper csfr and sessionid on the cookies.

BTW you should use curl or something like that to test this and make your tests. The reason you cant logout is because you are not doing the proper logout() from django. To use tastypie properly you should use only rest calls instead of browsing.

👤Itxaka

Leave a comment