Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Possible to use decorators in django to do permissions based on a view parameter?

Tags:

decorator

permissions

django

I'm not sure it's possible, but is there a way to write something like

@group_required('group_id')
def myview(request, group_id):
    .....

Where I look at the value of the parameter group_id and limit access to this view to only people who are in this group?

I know it is possible to create a decorator to check membership in some specific group

@group_required('admin')
def myview(request):
   ....

But say I want a view that is only accessible to people within a certain group, which is determined by the url.

So for example

/group/1
/group/2

Should each have permissions so that only members of group #X can see that page. I can easily write this functionality within the view

group = get group
if user not in group
    raise 404

but that logic is repeated all over. Decorators seems like a promising way to do it, but it seems the scope is backwards. Is there another preferred way to handle this sort of permissions?

Thanks!

like image 949
jkeesh Avatar asked Jan 03 '14 10:01

jkeesh

2 Answers

The decorator has access to all the view arguments, so it's definitely possible. You could do this:

def group_required(arg_name):
    def decorator(view):
        def wrapper(request, *args, **kwargs):
            group_id = kwargs.get(arg_name)
            user = request.user
            if group_id in user.groups.values_list('id', flat=True):
                return view(request, *args, **kwargs)
            else:
                return HttpResponseForbidden # 403 Forbidden is better than 404
        return wrapper
    return decorator

(If you don't need the flexibility of dynamically defining the argument in the decorator, eg if you always call it group_id, you can miss out the outer function here and just use kwargs.get('group_id').)

like image 152
Daniel Roseman Avatar answered Sep 28 '22 03:09

Daniel Roseman

Daniel's answer appears to not work on Django 1.11. Here's a modified version:

def group_required(group_name):
    def decorator(view):
        @functools.wraps(view)
        def wrapper(request, *args, **kwargs):
            if (request.user.groups.filter(name=group_name).exists() or
                    request.user.is_superuser):
                return view(request, *args, **kwargs)
            else:
                return HttpResponseForbidden("You don't have permission to view this page.")
        return wrapper
    return decorator
like image 33
Turtles Are Cute Avatar answered Sep 28 '22 04:09

Turtles Are Cute
Sign in to Comment

Related questions

python django shell (ipython) unexpected behavior or bug?
Django: get subset of a model with at least one related model
Why does Django's User Model set the email field as non-unique? [duplicate]
Gunicorn and django settings module
Custom base_site.html not working in Django
"Internal Server Error" deploying Django app to Heroku
How to load an object into memory for entire django project to see?
Custom django tag returning a list?
Django's AUTH_PROFILE_MODULE changing the login success url?
How do I start with Django ORM to easily switch to SQLAlchemy?
How do I go about customizing Mezzanine-Cartridge shop/product?
Ping MySQL to keep connection alive in Django
How to index a foreign key CharField using Haystack/Whoosh with Django?
How big can Django primary keys get?
ImportError: cannot import name force_text
PIL ImageDraw.Draw.text fill attribute raise TypeError : an integer is required
wkhtmltopdf Error "No such file or directory" (Django)
Authenticating with Django REST Framework returns 405
Django / Python: Real time peer to peer chat messaging [closed]
Django: django-tables2 pagination and filtering

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!