Check user access through foreign keys on object edit

This question is about Authentication and authorization concepts in the API.

Users can access and edit Report objects in our database.
Each Report belongs to a Project object, and has a foreign key pointing to that Project.
Some users will have project-specific write tokens, while other tokens are broader.

It seems that has_object_permission gets checked on model read and access, but access permissions for objects referenced by foreign keys aren’t checked. As a result, users can access a Report and change its Project ID, moving it into a Project which they don’t have write access to. I’m now realizing this might be a strange setup, with children pointing to their parents.

I’ve tried adding code to the api.views.report.partial_update to raise a PermissionDenied in the above case, but no luck so far. Is this the best place to check those permissions (for a PUT or PATCH) before writing? I just added code to raise a PermissionDenied no matter what, in partial_update, just to make sure I’m in the right place, but that had no effect on a PUT.

Really sorry I can’t include code, but this one’s far too sensitive.

Hello there!

The lesser the details, the lesser quality responses you’re going to have.

With that in mind.. you’re probably using some permission_classes on your view. They’re the ones responsible for this kind of check, if you’re using the CRUD facilities on DRF (i’m assuming that you’re using DRF based on some of the method names). If so, are your `permission_classes’ verifying if the user has permission for that specific project?

thanks for your help leandodesouzadev. Yes, this is using the DRF. Many of these auto-run methods, such as permissions checks, don’t make sense when I first look at them.

Now, after finally figuring out how to access the important data in the request in order to manually check those permissions (and I got that approach working) I take another look at the has_object_permission and I see exactly where and how to check the permissions that I need. Okay, I’m going to refactor that so it fits into the framework better.

thanks for your help