Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django Rest Framework owner permissions

Tags:

django

django-rest-framework

I use Django Rest Framework and in my one of my viewsets class I have partial_update method (PATCH) for update my user profile. I want to create a permission for one user can update only his profile.

class ProfileViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows profiles to be viewed, added,
deleted or edited
"""
queryset = Profile.objects.all()
# serializer_class = ProfileSerializer
permission_classes = (IsAuthenticated,)
http_method_names = ['get', 'patch']

def get_queryset(self):
    user = self.request.user
    return self.queryset.filter(user=user)

def get_serializer_class(self):
    if self.action == 'list':
        return ListingMyProfileSerializer
    if self.action == 'retrieve':
        return ListingMyProfileSerializer
    if self.action == 'update':
        return ProfileSerializer
    return ProfileSerializer

def get_permissions(self):
    # Your logic should be all here
    if self.request.method == 'GET':
        self.permission_classes = (IsAuthenticated,)
    if self.request.method == 'PATCH':
        self.permission_classes = (IsAuthenticated, IsOwnerOrReject)
    return super(ProfileViewSet, self).get_permissions()

def partial_update(self, request, pk=None):
    ...
    ...

Now one user can update his profile and any other profile. I tried to create a permission class: IsOwnerOrReject but I don't know exactly what I must to do.

like image 211
FACode Avatar asked Aug 02 '16 10:08

FACode

1 Answers

You can add a custom permission that checks whether it's his own profile. Something like this.

# permissions.py
from rest_framework import permissions
class OwnProfilePermission(permissions.BasePermission):
    """
    Object-level permission to only allow updating his own profile
    """
    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # obj here is a UserProfile instance
        return obj.user == request.user


# views.py
class ProfileViewSet(viewsets.ModelViewSet):
    permission_classes = (IsAuthenticated, OwnProfilePermission,)

UPDATE: You can remove the def get_permissions(self): part.

You can check the documentation for more info.

like image 97
Rieljun Liguid Avatar answered Nov 15 '22 09:11

Rieljun Liguid
Sign in to Comment

Related questions

ALTER DATABASE to change COLLATE not working
Django got an unexpected keyword argument
Django values get year from DateTimeField
How can I get {% url logout %} to work in my Django template?
IntelliJ IDEA Python plugin - how to make it treat HTML files as Django templates?
daisy-chaining Python/Django custom decorators
Two processes created when run django in background
django-allauth: How to set user to active only after e-mail verification
Django inline link to model editing
Full Text search on Django Rest Framework only supported for MYSQL?
How do I 'check' a radio button value using django RadioSelect widget
django run localhost from another computer connected to another network
Display name of a choice field in Django while using annotate
django-rest-framework serializer to_representation
How to manage django and flask application sharing one database model?
Do transaction in Django make things faster
How to iterate over a list in django templates? [duplicate]
How should I structure my static app files in Django?
What is the correct indention for pep8 on long lines with argument list and assignment
How to get django queryset results with formatted datetime field

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!