Django Rest Framework custom permissions per view

前端 未结 3 2011
-上瘾入骨i
-上瘾入骨i 2021-02-10 00:36

I want to create permissions in Django Rest Framework, based on view + method + user permissions.

Is there a way to achieve this without manually writing each permission

相关标签:
3条回答
  • 2021-02-10 01:17

    thanks, I took this idea and got it to work like so:

    class genericPermissionCheck(permissions.BasePermission):

    def __init__(self, action, entity):
        self.action = action
        self.entity = entity
    
    def has_permission(self, request, view):
        print self.action
        print self.entity
        if request.user and request.user.role.access_rights.filter(action=self.action,entity=self.entity):
            print 'permission granted'            
            return True
        else:
            return False
    

    I used partial in the decorator for the categories action in my viewset class like so:

    @list_route(methods=['get'],permission_classes=[partial(genericPermissionCheck,'Fetch','Categories')])
    def Categories(self, request):
    

    BTW, "access_rights" maps to an array of objects with a pair of action and object e.g. 'Edit' and 'Blog'

    0 讨论(0)
  • 2021-02-10 01:19

    Well, the first step could be done easy with DRF. See http://www.django-rest-framework.org/api-guide/permissions#custom-permissions.

    You must do something like that:

    from functools import partial
    
    from rest_framework import permissions
    
    class MyPermission(permissions.BasePermission):
    
        def __init__(self, allowed_methods):
            super().__init__()
            self.allowed_methods = allowed_methods
    
        def has_permission(self, request, view):
            return request.method in self.allowed_methods
    
    
    class ExampleView(APIView):
        permission_classes = (partial(MyPermission, ['GET', 'HEAD']),)
    
    0 讨论(0)
  • 2021-02-10 01:35

    Custom permission can be created in this way, more info in official documentation( https://www.django-rest-framework.org/api-guide/permissions/):

    from rest_framework.permissions import BasePermission
    
    
    # Custom permission for users with "is_active" = True.
    class IsActive(BasePermission):
        """
        Allows access only to "is_active" users.
        """
        def has_permission(self, request, view):
            return request.user and request.user.is_active
    
    # Usage
    from rest_framework.views import APIView
    from rest_framework.response import Response
    
    from .permissions import IsActive   # Path to our custom permission
    
    class ExampleView(APIView):
        permission_classes = (IsActive,)
    
        def get(self, request, format=None):
            content = {
                'status': 'request was permitted'
            }
            return Response(content)
    
    0 讨论(0)
提交回复
热议问题