Search code examples
pythondjangodjango-rest-frameworkdjango-querysetdjango-filter

different queryset based on permissions in Django Rest Framework

I have seen this link, but I didn't find anything related to my question helping it being resolved.

Imagine we have to create a blog, in which posts have two status:

  1. is_draft
  2. published (published == !is_draft)

So, each user should see all of his/her posts, whether it is draft or not. In addition, Other users should see the published posts of rest of the users.

I am using viewsets in django and I know that we should have different queryset based on the current user permissions but I don't know how.

models.py:

from django.db import models

# Create your models here.
from apps.authors.models import Author


class Post(models.Model):
    author = models.ForeignKey(
        Author,
        related_name="posts",
        on_delete=models.CASCADE,
    )

    title = models.TextField(
        null=True,
        blank=True,
    )

    content = models.TextField(
        null=True,
        blank=True,
    )

    is_draft = models.BooleanField(
        default=True
    )

views.py:

from django.shortcuts import render
from rest_framework import viewsets, permissions
# Create your views here.
from apps.posts.models import Post
from apps.posts.serializers import PostSerializer


class PostViewSet(viewsets.ModelViewSet):
    queryset = Post.objects.all()
    serializer_class = PostSerializer

    def get_permissions(self):
        if self.action == "create":
            self.permission_classes = [permissions.IsAuthenticated]

        elif self.action == "list":
            pass #I don't know how can I change this part

        return super(PostViewSet, self).get_permissions()

serializers.py:

from rest_framework import serializers

from apps.posts.models import Post


class PostSerializer(serializers.ModelSerializer):
    class Meta:
        model = Post
        fields = '__all__'
Solution

  • Change your queryset like this in your viewset. That way, only your desired posts will be accessed/permitted by the view:

    from django.shortcuts import render
from django.db.models import Q
from rest_framework import viewsets, permissions
# Create your views here.
from apps.posts.models import Post
from apps.posts.serializers import PostSerializer


class PostViewSet(viewsets.ModelViewSet):
    serializer_class = PostSerializer

    def get_permissions(self):
        if self.action == "create":
            self.permission_classes = [permissions.IsAuthenticated]

        return super(PostViewSet, self).get_permissions()

    def get_queryset(self, *args, **kwargs):
        current_user = self.request.user
        current_author = Author.objects.get(user=current_user) #assuming your author class has foreign key to user
        return Post.objects.filter(Q(author=current_author) | Q(is_draft=False))