I have a model called Lead which represents my possible future_customer.
In order to update a boolean field called is_approved in this model, I'm sending an email to the Lead's email ID along with a URL and this URL will take you to a page in my website where it asks for Approval.
How do I deal with permissions in Django Rest framework views? There is no django user associated with Lead model and I cannot use any authentication related classes.
Obscured url along with AllowAny permission is good enough?
What generally happens in a normal scenario for validation of emails is that they generate a unique token for the corresponding email. Then they when the user clicks on the email. He is taken to a page where there could be form submit which takes to a POST page or just validates directly.
The only security is that the unique id is just unique and there is a very rare chance for someone generate those id's via brute-force. That's the only security. You can add a expire also that makes the link valid only for few days.
You find the corresponding email associated with the same and update is_approved field accordingly.
Your model and view should look something like this.
class Lead(models.Model):
email = models.EmailField()
unique_id = models.CharField(default=uuid.uuid4)
is_approved = models.BooleanField(default=False)
def get_absolute_url(self):
return reverse('lead_verification', kwargs={'unique_id': self.unique_id})
class LeadVerificationView(APIView):
def post(self, unique_id):
lead = Lead.objects.get(unique_id=unique_id)
lead.is_approved = True
lead.save()