Imagine I have an app with following models:
Project
- owner
- field_proj_a
- field_proj_b
Dataset
- usecase (ForeignKey)
- derived_owner (a calculated property, reflecting the owner field of the Project, readonly)
- field_data_a
- field_data_b
and the regular django “User”.
Of course the example above is minimal. I got a few more models, with a range of different relations to other fields, where the hierarchy is derived from the Project “downwards”. Hope that makes sense.
I’ve read through the usual sources in the net. What I thought of so far was:
- Creating the owner from the logged-in user on Project creation (in perform_create of Project view)
- Filtering Querysets to owner of respective model (therefore adding the calculated property “derived_owner”, based on Project ownership)
- Setting an “IsOwner” permission as standard additionally to “IsAuthenticated”, checking the “derived_owner” or “owner” of the respective model.
Now when a user creates a Dataset, the user chooses the project it is referring to. How do I make sure the objects referred to via ForeignKey (and other relational field types) are checked for having the logged-in user as the owner (of the referred Project) in a POST/WRITE (to Dataset) request?
With the setup described above, a non-friendly user could still “attach” his new Dataset to a project he does not have access to (e.g. by guessing the FK). How do I mitigate this?