Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Django Rest Framework restrict user data view to admins & the very own user

Tags:

django

django-rest-framework

I am using Django and DRF, and I would like to check if a user (regular one), after it has been authenticated, is allowed to view it's own profile and only that (no other user's).

serializers.py

class UserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
    model = User
    fields = ('id', 'url', 'username', 'password', 'email', 'groups', 'is_staff')

def create(self, validated_data):
    user = super().create(validated_data)
    user.set_password(validated_data['password'])
    user.save()
    return user

Views.py

class UserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows users to be viewed or edited.
"""
queryset = User.objects.all().order_by('-date_joined')
serializer_class = UserSerializer
permission_classes = (IsUser,)

permissions.py

class IsUser(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""

def has_permission(self, request, view, obj):
    # View or Write permissions are only allowed to the owner of the snippet.
    return obj.owner == request.user

This, obviously is not working, because is wrong. But I can not figure out how to allow a user to view:

http://127.0.0.1:8000/api/users/7

ONLY if its an admin, or the very same user doing the request.

And: http://127.0.0.1:8000/api/users/ Only if it's an admin.

Thanks!

like image 409
Martin Avatar asked Jun 13 '17 23:06

Martin

Video Answer

1 Answers

class UserViewSet(ModelViewSet):
    queryset = Message.objects.all()
    serializer_class = UserSerializer

    def get_permissions(self):
        if self.action == 'list':
            self.permission_classes = [IsSuperUser, ]
        elif self.action == 'retrieve':
            self.permission_classes = [IsOwner]
        return super(self.__class__, self).get_permissions()

class IsSuperUser(BasePermission):

    def has_permission(self, request, view):
        return request.user and request.user.is_superuser

class IsOwner(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.user:
            if request.user.is_superuser:
                return True
            else:
                return obj.owner == request.user
        else:
            return False

override list and retrieve method for UserViewSet probably the easiest way.

like image 169
Ykh Avatar answered Oct 08 '22 19:10

Ykh
Sign in to Comment

Related questions

Django image.save() TypeError: get_valid_name() missing positional argument: 'name'
Insert or update on table "django_admin_log" violates foreign key constraint when saving new model in admin
set_autocommit got an unexpected keyword argument 'force_begin_transaction_with_broken_autocommit'
ImportError: cannot import name SortedDict - only on Python 2.7, not 2.6
How to disable log messages from the Requests library in Django
Django-Haystack: 'NoneType' object has no attribute '_default_manager'
Django Queryset for substr matching that starts from the beginning of a string
Django forms clean data
How can i use celery with different code base in API and workers
Unable to get a single linebreak while sending email through Sendgrid
Annotate filtering -- sum only some of related objects' fields
Django Error: Your URL pattern is invalid. Ensure that urlpatterns is a list of url() instances
How could I use Django i18n/setlang without form select and submit button?
Django form. How hide colon from initial_text?
How to render Form Choices manually
Django Query using contains with a list as a source?
How to automatically change model fields in django
Django admin how unlock your own account?
Deploying Django application in AWS. Raise Disallowed Host exception
Do I need to make a migration if I change null and blank values on a Model field?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!