0

in django drf can a authenticated user with token access other users data? I know it shouldn't but in my application its not happening. for testing I was using the token in postman but I was surprised when I see by using one users token I can access any other user data by changing PK in url. when I researched this on internet I couldn't find any definite answer. may be I was using the token authentication method wrongfully...

but my main question is: If I have one users token then by just changing pk in url, should I be able to get other users data? if so how to avoid that?

(Note: I am currently NOT using HTTPS. ) (also this is a conceptual question so after getting answer of this I may need to ask another question regarding error in my code; that I will. but please provide answer to this)

Ashwin Bande
  • 3
  • 2

2 Answers2

1

If your view for sending user data has only the permission class isAuthenticated, then yes this behavior is to be expected. What you need to do is to implement Another permission isOwner that checks if the user asking for the data is its owner or not.

xplo4d
  • 264
  • 1
  • 6
0

No. if that happened, it means you implement authentication the wrong way.

Make sure you set authentication scheme to 'rest_framework.authentication.TokenAuthentication'

and include 'rest_framework.authtoken' in your INSTALLED_APPS

Cuong Vu
  • 3,423
  • 14
  • 16