Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django rest framework group based permissions for individual views

Tags:

permissions

django

django-rest-framework

django-permissions

role-based-access-control

I am using DRF for writing API's. I would like to give different permissions for each view in my Modelviewsets. I have two groups(customers and staff). I have filtered them as Isstaff and Iscustomer in permissions.py.

class Iscustomer(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user and request.user.groups.filter(name='customers'):
            return True
        return False


class Isstaff(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user and request.user.groups.filter(name='staff'):
            return True
        return False

I am trying to overide using get_permissions method. When I put a single group in self.permission_classes, it works fine. 

class cityviewset(viewsets.ModelViewSet):
    queryset = city.objects.all()
    serializer_class = citySerializer

    def get_permissions(self):    
        if self.request.method == 'POST' or self.request.method == 'DELETE':
            self.permission_classes = [Isstaff]
        return super(cityviewset, self).get_permissions()

But, when i try to put multiple groups in self.permission_classes, it fails.

def get_permissions(self):
    if self.request.method == 'POST' or self.request.method == 'DELETE':
        self.permission_classes = [Isstaff,Iscustomer,]
    return super(cityviewset, self).get_permissions()
like image 538
Jai Simha Ramanujapura Avatar asked Jul 24 '17 12:07

Jai Simha Ramanujapura

1 Answers

The problem is where you are adding multiple permission_classes to your views. The method where your permissions are checked is check_permissions(). If you look at the DRF code,

def check_permissions(self, request):
    """
    Check if the request should be permitted.
    Raises an appropriate exception if the request is not permitted.
    """
    for permission in self.get_permissions():
        if not permission.has_permission(request, self):
            self.permission_denied(
                request, message=getattr(permission, 'message', None)
            )

When you are providing multiple permission_classes, the user must satisfy both the permissions. So, the logged in user must be a Staff and Customer at same time. I think this is why your view fails.

like image 128
zaidfazil Avatar answered Oct 14 '22 13:10

zaidfazil
Sign in to Comment

Related questions

django - inline - Search for existing record instead of adding a new one
Models inside tests - Django 1.7 issue
Django REST Framework (ModelViewSet), 405 METHOD NOT ALLOWED
Ruby on Rails vs. Django [closed]
How can you dispatch on request method in Django URLpatterns?
Kwargs in Django
Idiomatic python - property or method?
Django admin: use checkboxes in list view in list_filter()
AngularJS + Django: URL refresh or direct access not loading correctly
Uploading Large files to AWS S3 Bucket with Django on Heroku without 30s request timeout
Django m2m_changed signal is never called
How can I define a polymorphic relation between models in Django?
Enabling Django Admin Filters on Many-to-Many Fields
Django 1.3 logging: 500 errors are not logged
How to debug "could not receive data from client: Connection reset by peer"
Create UUID on client and save primary key with Django REST Framework and using a POST
Django not sending error emails - how can I debug?
Logging in Django on Heroku not appearing
How do I make a custom model Field call to_python when the field is accessed immediately after initialization (not loaded from DB) in Django >=1.10?
Write a wrapper to expose existing REST APIs as SOAP web services?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!