Search code examples
pythondjangotastypie

Allow a user to only delete his own comments with tastypie

I'm designing a django-tastypie application.

I've some users who are able to post comments. But for now, everybody can delete everything.

How can I solve this problem ?

Solution

  • Okay, I dug in on this a bit and have an answer.
    You need to implement a custom Authorization object and use it in your ModelResource.

    Below is an example I am using that requires the request user to either be a superuser or owner of the resource.

    class UserPickAuthorization(Authorization):
    # Checks that the records' owner is either None or the logged in user
    def authorize_user(self, bundle):
        print 'Authorize User'

        if bundle.request.user.is_superuser:
            return True
        if bundle.request.user == bundle.obj.user:
            return True

        return False

    def user(self, bundle):
        print 'User'
        return User.objects.get(pk=bundle.request.pk)

    def read_list(self, object_list, bundle):
        print 'Read List'
        return object_list.filter(Q(user = self.user(bundle)) | Q(user = None))

    def read_detail(self, object_list, bundle):
        print 'Read Detail'
        return self.authorize_user(bundle)

    def create_list(self, object_list, bundle):
        print 'Create List'
        return object_list

    def create_detail(self, object_list, bundle):
        print 'Create Detail'
        return self.authorize_user(bundle)

    def update_list(self, object_list, bundle):
        print 'Update List'
        allowed = []
        for obj in object_list:
            print "User is superuser %s"%(bundle.request.user.is_superuser)
            print "User owns obj %s"%(bundle.request.user == bundle.obj.user)

            if bundle.request.user.is_superuser or bundle.request.user == bundle.obj.user:
                allowed.append(obj)

        return allowed


class UserPickResource(ModelResource):
    pick = fields.ToOneField(TeamResource, 'pick', full=True)
    user = fields.ToOneField(UserResource, 'user', full=True)
    league = fields.ToOneField(LeagueResource, 'league', full=True)

    class Meta:
        queryset = UserPick.objects.all()
        resource_name = 'userpick'
        authentication = SessionAuthentication()
        authorization = UserPickAuthorization()
        list_allowed_methods = ['get', 'post','put', 'patch', 'delete']  
        always_return_data = True
        filtering = {
            'pick': ALL_WITH_RELATIONS,
            'league': ALL_WITH_RELATIONS,
            'user': ALL_WITH_RELATIONS,
            'week' : ALL
        }