Django-tastypie: prepend_urls bypasses authentication

In my experience it's much easier and more elegant to only use the override_urls function and create your own dispatch child method. It's less code, adheres to all your child resource meta properties (including authentication) and then some.

Example:

    def override_urls(self):
        return [
            url(r'^(?P<resource_name>%s)/(?P<pk>\w[\w/-]*)/tags%s$' % (self._meta.resource_name, trailing_slash()), self.wrap_view('dispatch_tags'), name='api_article_tags'),
        ]

    def dispatch_tags(self, request, **kwargs):
        return ArticleTagResource().dispatch('list', request, **kwargs)

This basically lets your ArticleTagResource handle the whole request from /article/1/tags/ as if it was requested as a list-view (change "list" to "detail" to make it behave like detail-view).

I haven't tried this yet but if it works as you say it'll definitely be an approach for me to take. However, I still think what I've reported here is an issue with Tastypie - basically if you use a technique illustrated in the cookbook authentication can be completely bypassed without the developer even realising.

i got the same issue and i tried joeribekker's method same results, any idea when this will be fixed? or any workarounds?

I like the idea of using Resource.dispatch(), but if you want to do something more complicated than a detail or list view, then it's not really viable.

One solution I've been thinking about is moving some of the heavier lifting from Resource.dispatch() into Resource.wrap_view() so that wrap_view() could be used to arbitrarily wrap any view, while applying all of the authentication, authorization, and throttling rules (possibly the method check too, although more on that below).

I have run into this issue with throttling. My current workaround is to have a decorator which I wrap my custom views in: @apply_throttle. The decorator copies code more or less from Resource.throttle_check() and Resource.log_throttled_access().

It may be most effective for tastypie to have both a more complete wrap_view() (including the above) _and_ decorators (or some other way to selectively apply these things), just in case the developer's intention for using the overrides is to actually get around the normal behavior (eg, if you have an overridden endpoint that needs different throttling or relaxes auth requirements). Decorators would also be a good way to apply specific method checks (GET, POST, etc) to overrides, without having to have that boilerplate at the beginning of your method. I know I've used overrides where all of these would have been useful.

What are everyone's thoughts toward that kind of solution? I'm definitely interested in working on this, but I'm pretty strapped for time right now.

I have been struggling with this but I found and answer on SO.
http://stackoverflow.com/questions/11827368/tastypie-override-urls-ignores-authentication-and-authorization

This is an old thread but since the issues is still open and ranked high in my search... a call to
self.is_authenticated(request) in the fist line of the handler will take care of the issue. tested with tastypie 0.11 & 0.12.

The cookbook now recommends using self.wrap_view() inside prepend_urls(), closing this issue.

Event with wrap_view, I needed self.is_authenticated(request) in the handler method.