1

I want to add authentication to my API, so only authorized people can see the data.

To my resource class I added:

authentication = BasicAuthentication()
authorization = DjangoAuthorization()

Then I added a new user using Django admin. He's listed as active and staff. No other permissions have been given.

Now whey I try the resource URL, it asks for credentials.

When I use the new users credentials, I get nothing:

{"meta": {"limit": 20, "next": null, "offset": 0, "previous": null, "total_count": 0}, "objects": []}

No objects, nothing. If I login as root, I see all the data.

How do I assign stuff to the user so it can see the resources?

R0b0tn1k
  • 4,256
  • 14
  • 46
  • 64

1 Answers1

1

Firstly, stuff status only designates whether the user can log into this admin site. You should see What's the difference between staff, admin, superuser in django?

Secondly, Tastypie's DjangoAuthorization checks the permission a user has granted to them on the resource’s model (via django.contrib.auth.models.Permission). https://django-tastypie.readthedocs.io/en/latest/authorization.html#djangoauthorization

Obviously, the reason of why root can see all the data is that the root is superuser.Thus, you can do:

  • grant the user superuser;

  • grant the user read permission(can change ..) of current resource_model;

padeny
  • 46
  • 3