Securing get methods - _s_check_perms

[kchaSCK]

Hi Thomas, all,

I'm new in RESTful API development, but your project is really helping me learn and understand how it works.

For the last week I have been working on securing access to the API on instance level. I.e. a user logged in, to be able to access only data related to his User Instance. Worked fine with overriding the _s_post and _s_patch as written in the docs - they now require a proper session token to work. However, I am struggling to secure the GET method, as it can't be overridden.

In the docs, you mention overriding _s_check_perms as a way to implement more granular access controls. I'm failing to find any details or any such method in the project code.

Can you give me a hint on how _s_check_perms overriding looks like?

Thanks,
Karstin

[kchaSCK]

Hold this one, I found the method. There is a small typo in the guide, at it refers to _s_check_perms. The class is without the s at the back. I will research it and write an example for everyone else if I succeed.

Cheers,

[thomaxxl]

Hi,

Allowing _s_get override similar to _s_post and _s_patch is certainly on my todo list, once I find time for a major update.

Wrt implementing security controls in safrs, several options are possible, depending on the use case, for example:

• Flask decorators
• Override SAFRSBase methods (to_dict, _s_check_perms, _s_patch, init`, etc.)
• custom SQLAlchemy columns
• Database/orm-level controls, I think osohq integration should be possible (though I haven't used this myself).

I use various approaches in my projects, but it's difficult to explain concisely, or implement generically in safrs.