django and backbone.js questions

Question

I'm looking at making backbone.js (plus jQuery) work with my django app, but I have some questions. I've never used a restful setup before, so I have very little knowledge of the "proper" way to use REST.

1. Backbone uses REST architecture, but django doesn't support this by default. It looks like tastypie or piston are the way to go for implementing a REST api. Does this mean I have to use the API for any ajax calls I make via backbone? If this is correct, are there any performance issues or other oddities I need to be aware of?

2. Most of my django app requires authentication. My understanding is that a REST api doesn't have any concept of whether a user is authenticated or not, so how do I handle this? Will I still be able to use login required decorator with my views or do I have do something else?

3. What about Django's permission framework, will I still be able to set / check permissions and groups?

Please feel free to answer each question individually or if you can see my overall confusion, please point me in the right direction.

Some of this is probably very noobish to a lot of you, but it's confused me, so thanks in advance for your help.

Answer 1

you can point backbone collections/models toward whatever urls you want and parse the response however you want in your backbone "subclasses".

Model.url:

http://documentcloud.github.com/backbone/docs/backbone.html#section-43

Collection.parse:

http://documentcloud.github.com/backbone/docs/backbone.html#section-69

You can setup one-off request handlers that can return some json for backbone to parse/ingest without piston or tastypie. But, yes, these are two good solutions for comprehensive REST with django.

There are some good tips here: http://joshbohde.com/blog/backbonejs-and-django for using backbone with tastypie.

With tastypie, you can limit access to the api with custom authorization/authentication.

http://django-tastypie.readthedocs.org/en/latest/authentication_authorization.html

You can create an Authorization scheme that makes sure that the objects list is filtered to be only the object which the user "owns", something like this:

class PerUserAuthorization(Authorization):   def apply_limits(self, request, object_list):     if request and hasattr(request, 'user'):         if request.user.is_authenticated():             object_list = object_list.filter(user=request.user)             return object_list      return object_list.none() 

Alternately/additionally, you can make resources that only return the user's objects by overriding the ModelResource.apply_authorization_limits method and automatically associate the user with created objects by overriding the obj_create method, something like:

class PerUserModelResource(ModelResource):    def obj_create(self, bundle, request=None, **kwargs):     return ModelResource.obj_create(self, bundle, request, user=request.user)    def apply_authorization_limits(self, request, object_list):     return object_list.filter(user=request.user) 

Then, you can inherit from the PerUserModelResource and/or make PerUserAuthorization the authorization for the resource.

class ImageGroupResource(PerUserModelResource):   study = fields.ForeignKey(StudyResource, "study")   uploads = fields.ToManyField('cm.api.UploadResource', 'uploads', null=True)    class Meta:     queryset = ImageGroup.objects.all()     list_allowed_methods = ['get', 'post']     detail_allowed_methods = ['get', 'post', 'put', 'delete']     resource_name = 'cm/imagegroup'     authorization = PerUserAuthorization()     filtering = {         'name': ALL,         'created_dt': ['exact', 'range', 'gt', 'gte', 'lt', 'lte'],     } 

Backbone and django-tastypie are nicely documented. Take the time to build a simple proof of concept and read through the docs a few times. They go together like peas and carrots.