As a developer, we have to secure the exposed endpoints (APIs) according the desired permission rules.
openIMIS backend is configured with 2 authorizations layers:
- the django default (basic) permissions mechanism
- the RBAC ‘django-rules’ extensions
If any of the 2 layer grants the access, the access is given to the user.
openIMIS endpoints can be:
- django straight ‘views’ endpoints
- django-rest-framework endpoints (recommended)
The django straight ‘views’ endpoints must be explicitly defined by the developers (please refer to https://docs.djangoproject.com/en/2.1/topics/security/ )
The django-rest-framework, however, has been configured to enforce the default (type-based) django permissions mapping: GET on <module>.view_<model>, POST on <module>.add_<module>,...
For finer grained security (object-level) the django-rules module has been configured and is readily available for use (declaring predicates,...).