Authorization#
Access to task artifacts and status records via the REST API is restricted via Django’s authorization mechanism. The following permissions are checked when assorted operations are attempted:
user_tasks.cancel_usertaskstatus
user_tasks.change_usertaskstatus
user_tasks.delete_usertaskstatus
user_tasks.view_usertaskstatus
user_tasks.change_usertaskartifact
user_tasks.delete_usertaskartifact
user_tasks.view_usertaskartifact
These permissions can be managed via Django’s default database-backed authorization implementation, but using
an alternative authorization backend can be easier to manage and support object-level permissions (for example, to
determine if a user has permission to view and cancel a particular task but not others). There is an
Authorization grid on Django Packages listing several such backends; the test suite for django-user-tasks
uses
the rules package to define rule-based permissions which require no additional database setup. These rules can
be used in other applications via user_tasks.rules.add_rules()
, if desired.
Restriction of status and artifact listings in the REST API to only those which the requesting user has permission
to view can be done via the USER_TASKS_ARTIFACT_FILTERS
and USER_TASKS_STATUS_FILTERS
settings. See the
settings documentation for more information on how those work.
Artifact URL Access#
Although the permission checks above cover most attempts to interact with a task, the artifacts associated with it may be located at URLs with less restricted access:
UserTaskArtifact.text
is actually stored as part of the model instance, and hence is covered by whichever authorization backend you’ve chosen to use. But it’s limited to text content only, and is not recommended for large amounts of data.UserTaskArtifact.url
has no inherent security; the data at that URL is only as secure as the access restrictions placed on it by the hosting system (which may or may not be the same service which is usingdjango-user-tasks
). The URL may be hard to guess, but once discovered might be accessible to users other than those with view permission for the artifact instance unless appropriate measures are taken.UserTaskArtifact.file
uses URLs generated by the Django file storage system in use. The default implementation imposes no particular access restrictions on the generated files, but alternatives with better security are available. For example, if you use thes3boto
ors3boto3
backend from django-storages with a private Amazon S3 bucket, the artifact content URL will be presigned with query parameters which allow access to the file for a limited time (determined by theAWS_QUERYSTRING_EXPIRE
setting), so the content cannot be accessed just by guessing the URL or gaining access to a previously served link with expired signature query parameters.