Django REST Framework has an excellent piece of documentation about permissions. I've been able to use pre-made permission classes and also built my own.
However, there are some API methods in which a "Permission denied" generic message is not very informative for the user. For example, if the user is authenticated but the account has expired, it would be nice to let the user know that his account is expired and not just a permission denied error.
When building custom permission classes, you either return True
or False
- according to the documentation. But I would like, as said above, to show a more informative message to the user. How to accomplish this?
Since DRF 3.2.0, You only have to add a message attribute :
from rest_framework import permissions
class CustomerAccessPermission(permissions.BasePermission):
message = 'Adding customers not allowed.'
def has_permission(self, request, view):
See from DRF documentation: http://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
From DRF
you can simply add message
attribute.
from rest_framework import permissions
class IsSuperUserPermission(permissions.BasePermission):
message = 'User is not superuser'
def has_permission(self, request, view):
return self.request.user.is_superuser
It will return a dict
with key detail
, something like this:
{
'detail': 'User is not superuser'
}
But what if you want for example that the
dict
key not to bedetail
buterrors
for example, it will be the same howreturn
errors DRF.
We can set message attribute
not to string
but to dict
, something like this:
class IsSuperUserPermission(permissions.BasePermission):
message = {'errors': ['User is not a superuser']}
def has_permission(self, request, view):
self.message['errors'].clear()
return self.request.user.is_superuser
In this case the error will be:
{
'errors': ['User is not a superuser']
}
when permission isn't granted, I will raise a exception which custom response. It works on djangorestframewor(3.10.1) and django(2.2.3).
from rest_framework.permissions import BasePermission
from rest_framework.exceptions import APIException
from rest_framework import status
class IsLogin(BasePermission):
"""
Allows access only to authenticated users.
"""
def has_permission(self, request, view):
if request.email:
return True
raise NeedLogin()
class NeedLogin(APIException):
status_code = status.HTTP_403_FORBIDDEN
default_detail = {'error': True, 'message': 'need login'}
default_code = 'not_authenticated'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With