I have a django application that I'd like to add some rest interfaces to. I've seen http://code.google.com/p/django-rest-interface/ but it seems to be pretty simplistic. For instance it doesn't seem to have a way of enforcing security. How would I go about limiting what people can view and manipulate through the rest interface? Normally I'd put this kind of logic in my views. Is this the right place or should I be moving some more logic down into the model? Alternatively is there a better library out there or do I need to roll my own?
+3
A:
Well, from the look of things, there's an authentication parameter to Collection. (see this example: authentication.py)
Second, (even if Django doesn't have it yet,) there should probably be a middleware that does CSRF/XSRF form checking. (Oh, there seems to be one.) You should also be able to use the login_required and permission_required decorators in the urls.py.
Anders Eurenius
2008-10-18 01:52:44
+3
A:
Even with the Authentication parameter, you don't have fine-grained control over what people can do. The current implementation of the Django-REST interface doesn't track the user information, so you don't have this information available for doing fine-grained authorization checks.
See Issue #32.
However, it's relatively easy to extend it to add some features. I use a lot of subclasses to add features.
Updating the request with login information, however, is tricky in Django. Rather than do that, I leave the information in the Collection.
Right now, I'd estimate that between patches and subclasses, what I've written is about as big as rolling my own RESTful view functions.
Django-REST, however, gracefully and neatly handles HTTP Digest Authentication. I don't look forward to replacing theirs with some kind of decorator for my Django view functions.
[Maybe we should open a source forge project and work out a clean replacement?]
S.Lott
2008-10-18 11:49:51
google code seems to be the preferred hosting for reusable django apps (I'm not sure why)
Jiaaro
2009-02-09 13:39:21
@S.Lott: You suggested a sourceforge project; I believe @Jim Robert was suggesting using Google Code instead, since it appears to be the dominant hosting solution for Django apps in general, not commenting on the level of security control itself.
Hank Gay
2009-03-19 13:03:20
@Hank Gay: Thanks. Google code is probably preferred because Google has made a large commitment to Python.
S.Lott
2009-03-19 13:29:55
+7
A:
I would look into using django-piston http://bitbucket.org/jespern/django-piston/wiki/Home application if security is your main concern.
I have used django-rest-interface in the past, its reliable and though simple can be quite powerful, however django-piston seems more flexible going forward.
Mark Ellul
2009-06-15 14:28:37