Regarding OpenWISP REST API Project Idea

[Manish Shah]

Greetings everyone, 

After going through the OpenWISP REST API idea in detail and working on its first task I have somewhat familiarised myself with DRF and its implementation.

One thing that is not clear to me in respect to the endpoints of users, organization is that since it is mentioned that we have to respect Multi-tenancy in every writable field but to my understanding, different classes of multi-tenancy are themselves based on organizations. 

So, Can I please get a brief on this point?

Kind Regards, 
Manish Kumar Shah

[ajay39in]

Hi,

> different classes of multi-tenancy are themselves based on organizations.

Some classes are helping us to implement parts of multi-tenancy but which one do you mean and have you tested if all the objects are isolated with the help of that class?

I am not sure if I correctly understand this, could you please rephrase this or use an example?

But basically, respecting multi-tenancy means, that if say we create 2 organizations, org1 and org2, then

- A user who is only a member in org1 should not be able to see the objects of org2 in the API list view, the org2's objects should not appear in the dropdowns of the org1 objects and ofcourse a member of org1 should not be able to create / update / delete the objects of org2.

- A user who is a part of both the orgs should be able to manipulate the objects of both the orgs.

- Superusers should be able to see all objects and manipulate all of them.

You can see this in action in the admin UI itself if you create staff users who are in different organizations. 

Example: In radius API you can see we are filtering based on self.organization for this view here: https://github.com/openwisp/openwisp-radius/blob/0e13154419982663d2c0ef31c417841e61605110/openwisp_radius/api/views.py#L472-L479

Best,
Ajay Tripathi

[Manish Shah]

Hi,

> could you please rephrase this or use an example?

For eg: I try to make a serializer for performing CRUD operation on organization[second task of OpenWISP REST API project]
```
from openwisp_utils.api.serializers import ValidatedModelSerializer

class OrganizationSerializer(ValidatedModelSerializer):
    class Meta:
        model = Organization
        fields = '__all__'
```
So, in the above case suppose we have a view to allow creating an organization here so, will we be required to inherit any of the openwisp-user's, Multi-tenant serializer classes.

PS: I am trying to understand different filtering custom mixins and Multi-tenant serializers from the openwisp-users module. I haven't tested the above code.

Thank You,
Manish

[Federico Capoano]

Good question Manish.

The implementation of multi-tenancy for organizations and users is more complex than the other objects.

We already implemented this logic in the admin so when in doubt double check the django admin, we must make sure the two are consistent. If possible we should also make sure to share some code between admin and DRF api, to avoid code duplication and ease maintenance.

We must grant permissions to create new organizations only to superusers.

Org managers should be able to view their org details.

Org owners should be able to edit and delete the details of their org and related org objects.

Regarding users, also there it should work exactly like the django admin, we did a lot of work there so please when in doubt see the code there. Here's how it's be implemented at the moment:

- superusers can do anything

- org managers who have the required django permissions can manage users of their org (add/create/delete) but cannot change details of superusers nor org owners if I'm not wrong, not sure about other org managers, maybe they can only view details of other org managers and only org owner can change/delete details of org managers but please double check

Any other question?

Ajay is this part clear for you?

Federico

--
You received this message because you are subscribed to the Google Groups "OpenWISP Google Summer of Code" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp-gso...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openwisp-gsoc/8011a5df-17d7-46b2-84fe-f52d93dfe20fn%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Manish Shah]

Thank you, Federico, for clearing out this.
No, question as of now.

Best Regards,
Manish

[Ajay Tripathi]

Hi,

 

Ajay is this part clear for you?

Yes, I didn't understand the question correctly but the answer is clear.

Thanks,
Ajay

[Ajay Tripathi]

Hi,

As per the last discussion, I have been following the admin UI to compare API where I am not sure

about something and I wanted to confirm 5 things:

1. Why does the operator have access to pages like template / add template if they don't have access to view the templates or create them?
(Notice in the image below, I can get to add template page but cannot make templates from org dropdown has nothing inside it.)

(Same for device, nothing is visible to operator)

2. For the create VPN client dropdowns, the information isn't filtered for the organization but all the items are displayed, even in the admin UI, is this okay? Shouldn't get actively filter them as user changes org at least in admin UI? :-)

Same for Credentials, all of them are displayed not filtered as per device org.

Same for creating CA

3. Templates associated with shared organization are not visible in list to org1 admin user, just the superuser can see it. However, the share org templates appear in the device's list. Is this desirable?

4. No templates are visible on device create page, only visible on device change page (although I doubt user in production will ever create a device like this):

5. Not sure why, but it looks like reset password URLs have lost their styles, is this intentional?

I realize some of them might be desirable behavior, just want to confirm.


Thanks,

Ajay Tripathi

[Federico Capoano]

5. Not sure why, but it looks like reset password URLs have lost their styles, is this intentional?

It's not intentional but most likely it's happening only in the development environment because AFAIK it works correctly when deployed via ansible-openwisp2.

Are you referring to openwisp-controller? If yes, can you open an issue please? 

For the rest, I'm trying to reply but there are differences between the screenshots posted and the email text, so I ask you to please try again sending text and images together.

[Ajay Tripathi]

Hi,

Please ignore the earlier mail, Google Groups is not allowing me to send the questions with images properly.
I've included the images and questions in the link below, are you able to see the images followed by their questions here?

Questions link: https://imgur.com/a/NANkXcI