Fix Insecure API Management in Django

Insecure API management in Django REST Framework (DRF) often manifests as Broken Object Level Authorization (BOLA), missing rate limits, and overly permissive CORS policies. If you're relying on default settings, you're likely leaking PII. We need to enforce strict object ownership, implement throttling to kill brute-force attempts, and ensure the 'deny-all' principle is applied to every endpoint.

The Vulnerable Pattern

from rest_framework import viewsets
from .models import Invoice
from .serializers import InvoiceSerializer
class InvoiceViewSet(viewsets.ModelViewSet):
# VULNERABILITY: Returns all invoices to any authenticated user.
# An attacker can iterate IDs (IDOR) to steal data.
queryset = Invoice.objects.all()
serializer_class = InvoiceSerializer

The Secure Implementation

The secure implementation fixes the API in three ways: 1. Scoped Querysets: By overriding get_queryset, we ensure the database driver never even sees records belonging to other users, mitigating IDOR at the source. 2. Custom Permissions: The IsOwner class enforces object-level authorization (BOLA protection) for operations like PUT or DELETE. 3. Throttling: Adding UserRateThrottle prevents automated scraping and DoS attacks against the endpoint. This moves the API from 'open-by-default' to a zero-trust architecture.

from rest_framework import viewsets, permissions, throttling
from .models import Invoice
from .serializers import InvoiceSerializer
class IsOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
class InvoiceViewSet(viewsets.ModelViewSet):
serializer_class = InvoiceSerializer
permission_classes = [permissions.IsAuthenticated, IsOwner]
throttle_classes = [throttling.UserRateThrottle]
def get_queryset(self):
    # Scoping the queryset to the user prevents horizontal privilege escalation
    return Invoice.objects.filter(owner=self.request.user)</code></pre>