[BUG] Websocket Decorator Permissions #1009
Comments
|
@ckrew is the authentication enforced currently? Can a anonymous in user access a web socket? |
|
So if I use an incognito window and open up the dev tools, I can connect to the websocket using the lines below. If I add a breakpoint in the python code, the code above connects to the websocket and I get the scoped user below You can see that it is anonymous and not authenticated (which I was wrong about in the description) but it can still connect to the websocket unless I put some custom user handling like the code below. If I connect to the websocket from tethys using an actual user, I can get the id of the scoped user and get the actual user from django users. I get the results below which shows the actual user is not anonymous and it is active. |
Describe the bug
Currently the websocket decorator has an authenticator but no way to check permissions to make sure the user (or anonymous user) should be able to access the endpoint.
Expected behavior
The websocket decorator should have an option to specify permissions to access the endpoint, just like the controller decorator. That way a user can be checked for authentication and authorization.
Tethys Environment Information
The text was updated successfully, but these errors were encountered: