django-rest-frameworkdjango-permissionsdjango-guardian
How to customize DjangoObjectPermissions?
Hi I am following this example of using the DjangoObjectPermissionsFilter.
I want to create class SampleModelPermissions(permissions.DjangoObjectPermissions) so that it satisfies the following description in my "self-documented" DRF API:
This is my code:
in models.py:
class Sample(models.Model):
created = models.DateTimeField(default=datetime.datetime.utcnow, blank=True, null=True)
last_modified = models.DateTimeField(default=datetime.datetime.utcnow, blank=True, null=True)
owner = models.ForeignKey(User, blank=True, null=True, related_name='sample_owner')
text = models.TextField(default='', blank=True, null=True)
class Meta:
permissions = (
('view_sample', "can view sample"),
)
def __unicode__(self):
return self.text
def __str__(self):
return self.text
in views.py:
class SampleViewSet(viewsets.ModelViewSet):
'''
* Model Description: Sample is a sample model.
* CRUD on Sample model
* C - CREATE - POST /sample/ - allowed as long as owner is the user creating the object
* R - READ - GET /sample/ (list) - user can see objects it owns
* R - READ - GET /sample/[id]/ (detail) - user can see detail page of objects it owns
* U - UPDATE - PATCH /sample/[id]/ - allowed for owner
* D - DELETE - DELETE /sample/[id]/ - allowed for owner
* Note in the case of a nested model A where a field f points to an instance of another model B, you can set f's value to an instance b of B by PATCHing or POSTing with f_id = [the id of b]. Yes, whenever f points to a foreign model, f is read only and f_id is write only.
'''
queryset = Sample.objects.all()
filter_backends = (DjangoFilterBackend, SearchFilter, OrderingFilter, DjangoObjectPermissionsFilter,)
permission_classes = (SampleModelPermissions,)
filter_fields = '__all__'
serializer_class = SampleSerializer
in permisions.py
class SampleModelPermissions(permissions.DjangoObjectPermissions):
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
logger.info('in SampleModelPermissions')
def has_object_permission(self, request, view, obj):
logger.info('in SampleModelPermissions has_object_permission')
print 'permissions.SAFE_METHODS: ', permissions.SAFE_METHODS
if request.method in permissions.SAFE_METHODS:
return request.user == obj.owner or True # need to modify so can see own stuff
elif request.method == 'POST':
print 'checking if user has perm to create obj'
return True # request.user == obj.owner
elif request.method == 'PATCH':
return request.user == obj.owner
elif request.method == 'DELETE':
return request.user == obj.owner
return False
But I get the following in POSTMAN:
Any tips on what I should be doing to get my API permissions to work as I describe they should in the self-documentation?
Solution
The solution was to recognize that has_permission covers GET list and POST, and has_object_permissions covers GET detail, PATCH, and DELETE. I had to split my code into those 2 functions accordingly (bear in mind still working out other issues with the code though but the specific problem addressed in this question is covered):
class SampleModelPermissions(permissions.DjangoObjectPermissions):
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
logger.info('in SampleModelPermissions')
def has_permission(self, request, view):
logger.info('in SampleModelPermissions has_permission')
if request.method in permissions.SAFE_METHODS:
logger.info('SampleModelPermissions: has_permission: listing samples for user: ' + str(request.user.id))
return True
elif request.method == 'POST':
suggested_owner = None
try:
logger.info('SampleModelPermissions: has_permission: request dict should have a suggested owner: ' + str(dict(request.data.iterlists())))
suggested_owner = int(dict(request.data.iterlists())['owner_id'][0])
except:
logger.error('SampleModelPermissions: has_permission: request made without owner_id: ' + str(dict(request.data.iterlists())))
return False
return request.user.id == suggested_owner
def has_object_permission(self, request, view, obj):
logger.info('in SampleModelPermissions has_object_permission')
print 'permissions.SAFE_METHODS: ', permissions.SAFE_METHODS
if request.method in permissions.SAFE_METHODS:
return request.user == obj.owner or True # need to modify so can see own stuff
elif request.method == 'PATCH':
return request.user == obj.owner
elif request.method == 'DELETE':
return request.user == obj.owner
return False
- ImportError: allauth needs to be added to INSTALLED_APPS
- I want to add a location field in django model which take location input by putting lattitude and longitude
- Django (DRF): How to do case-insensitive ordering
- APIClient headers for testing
- Unable to form ORM queryset in Django
- Why do I get the email but not the ID of the user in Django when using users_data = validated_data.pop(‘users’, [])?
- Django rest framework where to write complex logic in serializer.py or views.py?
- DRF. Filtering child's class objects linked to parent with foreign key from a parent class api routing
- How to add permissions in django admin panel for user?
- Why is everything grouped under "api" in Swagger UI with no division between task and subtask?
- What are the differences between the APIView and ViewSets classes in Django?
- How to show permissions in django admin project?
- Python create an SDK instead just an API
- cannot import name in django rest framework
- Serializing ManytoMany field in Django
- How to create users and groups migrations in Django?
- How can I stop django REST framework to show all records if query parameter is wrong
- Using django with postman {"detail":"CSRF Failed: CSRF token missing or incorrect."}
- How to mapping ForeignKey model value in Django Rest Framework
- Django-Rest-Framework, POST operation: fields is not empty but DRF says is required
- Django Rest Framework Send Data to View Without Serializer
- Can't connect Django and my react native app... [Network request failed]
- Model's ImageField returning different results in viewset vs function-based view
- DRF: Simple foreign key assignment with nested serializers?
- Django->IntegrityError when Creating a record with a foreign key assign to it model
- After refreshing page gives CSRF verification failed. Request aborted. error
- How to serialize a related model at depth 2 without serializing intermediate model at depth 1?
- Django TestCase slef.client.patch gives a 404 error
- How do I set custom error response upon serializer validation in a Django project?
- Django Rest Framework custom filter with default search and ordering filter