Hi,
At the moment I am trying to figure out the best way to provide non-authenticated and non-registered users temporary (read and update) access to objects.
The first Idea I had was storing a token = models.CharField(max_length=64,unique=True) for every instance of the model which I then create in the serializer via:
def perform_create(self, serializer):
serializer.save(owner=self.request.user, token =str(uuid.uuid4()))
Giving a non-registered user this token enables him to access this resource and update it, so everything is fine. From this side, but:
- Realizing it in this way, results in the user having unlimited access (in regards to time) to that resource. I would like to limit the possible access in regards to time via TimestampSigner from the django.core.signing package by also storing a max_age per item and using that to verify the token and the age via signer.unsign(token, max_age=toke_age). Unfortunately I do not know how to integrate such a mechanic in the rest-framework in combination with the generics.RetrieveUpdateAPIView
- Maybe there are better ways to archive that goal? I could overwrite the token after the specific max_age is exceeded so that only the authenticated owner gets access to it and the non-registered user will no longer be in possession of the token for this item.
Thoughts? Hints? Solutions for the TimestampSigner approach?
Best Regards,
Mike
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/trinity-95293c08-16e6-4d7d-9690-3199d2874627-1447253049712%403capp-gmx-bs41.
For more options, visit https://groups.google.com/d/optout.
