Serializing `add` permissions can be out of sync with real permissions
There is an old issue we had in DjangoLDP Circle permissions:
I can only add
CircleMember
objects to Circles of which I am a member, but if I POST to/circle-members/
then there is no way that I can know without reading thevalidated_data
, to which circle I am posting
We fixed this by adding is_safe_create
to LDPViewSet
, allowing you to return False
if something in the validated data isn't right (for this case and if I am a hacker trying to sneak a different circle into my POST data)
We then return add
permissions for any authenticated user so that the check has_permission
(and in 2.1 has_container_permission
) pass
However this means that on my container add
is serialized in the permissions when really I don't have it
There's a commented out test for this in djangoldp-community tests_permissions.py