Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

django rest model permissions

Tags:

django

django-rest-framework

I'm using Django 2.1 and djangorestframework 3.9.2. I wish to be able to control access to REST operations on Django model objects via the Django admin interface, ideally using user permissions. For example, only users who have read permissions on model object Foo should be able to see Foo in my REST API.

I read the docs and it seems maybe I could use DjangoModelPermissions or DjangoObjectPermissions.

However, when I clear all user permissions in the DB, and set DEFAULT_PERMISSIONS_CLASS to either DjangoModelPermissions or DjangoObjectPermissions, I am still able to see things in the REST API. That means lack of permissions is not preventing me from seeing objects as I hoped.

Example settings:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.DjangoModelPermissions',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
}

An example object view:

from rest_framework import routers, serializers, viewsets
from .models import Example

class ExampleSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = Example
        fields = '__all__'

class ExampleViewSet(viewsets.ModelViewSet):
    queryset = Example.objects.all()
    serializer_class = ExampleSerializer

router = routers.DefaultRouter()
router.register(r'examples', ExampleViewSet)

Suggestions?

like image 751
dfrankow Avatar asked Jan 27 '23 12:01

dfrankow

1 Answers

DjangoModelPermissions only enforce permission rules for data modification (for POST , PUT , PATCH and DELETE requests), but does not enforce permission rules for data viewing.

To restrict data viewing, you can add a custom view permisson, and subclass DjangoModelPermissions to use that permission, as explained in the docs

EDIT:

With Django 2.1, view model permission is added. So this will probably be supported by DjangoModelPermissions in the future releases, but until then, you can try subclassing DjangoModelPermissions like this to add check for view permissions:

class DjangoModelPermissionsWithRead(DjangoModelPermissions):
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

EDIT 2: There is a feature request filed to support this.

like image 108
Ozgur Akcali Avatar answered Jan 31 '23 08:01

Ozgur Akcali
Sign in to Comment

Related questions

Django Annotate Sum
Ensure that urlpatterns is a list of path() and/or re_path() instances
How to pass template variable to slice filter in Django templates
Django - post InMemoryUploadedFile to external REST api
Where to store auth token (frontend) and how to put it in http headers of multiple endpoints?
Dynamically change upload location based on Model name in Django
Django - How to modify template context from middleware
Django - annotate with multiple Count
Django REST Framework CurrentUserDefault() with serializer
How to add 'id' to the fields in HyperlinkedModelSerializer in DRF
Django REST Framework create nested serializers gives pk error
Token Authentication Not Working on Django Rest Framework
How to pass more than two parameters in a queryset in Django?
django 2.1.3 'django.db.backends.postgis' isn't an available database backend
Django generics.ListAPIView accepting POST method
Auto reloading Django server on Docker
Django: Object of type 'datetime' is not JSON serializable
Django does not honor ON DELETE CASCADE
Providing initial data for models - Django
Django channels pytest testing. django.core.exceptions.ImproperlyConfigured. .

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!