Secure URL/page for AnonUser to update a model field - Django Rest framework

Question

I have a model called Lead which represents my possible future_customer.

In order to update a boolean field called is_approved in this model, I'm sending an email to the Lead's email ID along with a URL and this URL will take you to a page in my website where it asks for Approval.

How do I deal with permissions in Django Rest framework views? There is no django user associated with Lead model and I cannot use any authentication related classes.

Obscured url along with AllowAny permission is good enough?

Answer 1

What generally happens in a normal scenario for validation of emails is that they generate a unique token for the corresponding email. Then they when the user clicks on the email. He is taken to a page where there could be form submit which takes to a POST page or just validates directly.

The only security is that the unique id is just unique and there is a very rare chance for someone generate those id's via brute-force. That's the only security. You can add a expire also that makes the link valid only for few days.

You find the corresponding email associated with the same and update is_approved field accordingly.

Your model and view should look something like this.

class Lead(models.Model):
    email = models.EmailField()
    unique_id = models.CharField(default=uuid.uuid4)
    is_approved = models.BooleanField(default=False)

    def get_absolute_url(self):
        return reverse('lead_verification', kwargs={'unique_id': self.unique_id})


class LeadVerificationView(APIView):

    def post(self, unique_id):
        lead = Lead.objects.get(unique_id=unique_id)
        lead.is_approved = True
        lead.save()