Reputation: 4110
django-guardian and django-rest-framework
I would like to manage my objects permission using django-guardian in a restful project (using django-rest-framework).
What I would like :
- Allow the connected user to create an object only if he have the "add_modelname" permission.
- When the connected user create an object, set the "delete_modelname" and "change_modelname" permission.
- Allow the connected user to edit an object only if he have the "change_modelobject" permission.
- Allow the connected user to delete an object only if he have the "delete_modelobject" permission.
I'm trying to manage thoses cases with this code :
view.py
class ModelNameViewSet(viewsets.ModelViewSet):
"""
This viewset automatically provides `list`, `create`, `retrieve`,
`update` and `destroy` actions.
Additionally we also provide an extra `highlight` action.
"""
queryset = ModelName.objects.all()
serializer_class = ModelNameSerializer
permission_classes = (permissions.IsAuthenticatedOrReadOnly, ModelNamePermission)
def create(self, request, *args, **kwargs):
assign_perm("change_modelname", request.user, self)
assign_perm("delete_modelname", request.user, self)
return super().create(request, *args, **kwargs)
permissions.py
class ModelNamePermission(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_permission(self, request, view):
if request.method in ['GET']:
return request.user.has_perm('view_modelname')
if request.method in ['POST']:
return request.user.has_perm('add_modelname')
if request.method in ['PUT', 'PATCH']:
return request.user.has_perm('change_modelname')
if request.method in ['DELETE']:
return request.user.has_perm('delete_modelname')
return False
def has_object_permission(self, request, view, obj):
if request.method in ['GET']:
return request.user.has_perm('view_modelname', obj)
if request.method in ['POST']:
return request.user.has_perm('add_modelname', obj)
if request.method in ['PUT', 'PATCH']:
return request.user.has_perm('change_modelname', obj)
if request.method in ['DELETE']:
return request.user.has_perm('delete_modelname', obj)
return False
The first problem I encounter is that I have an error in this line :
assign_perm("change_modelname", request.user, self)
error :
error: 'ModelNameViewSet' object has no attribute '_meta'
And I think that the rest of the code will not works but at least you can see what I want to do.
I haven't seen any example with thoses specifics cases.
Edit : Another thing is that this code :
request.user.has_perm('view_coachingrequest')
allways returns true. But I've never set this permission to my user (only tried with admin user, maybe that's why).
Upvotes: 6
Views: 5612
Answers (1)
Reputation: 96
The create method of a viewset will return you a freshly created model instance. You are trying to assign the permission to the viewset object itself. The code for your create method should be as follows:
def create(self, request, *args, **kwargs):
instance = super().create(request, *args, **kwargs)
assign_perm("change_modelname", request.user, instance)
assign_perm("delete_modelname", request.user, instance)
return instance
This will create the model instance and then assign your desired permissions to it before returning it.
Upvotes: 2
Related Questions
- django rest model permissions
- Confused by Django Rest Framework Permissions
- Django Rest Framework Permission Check On Create
- Set object-level permission with django-rest-framework
- Permissions not working using django-guardian for djangorestframework
- permissions : in django rest framework
- Django REST framework: using object-level permissions without model-level permissions
- Django rest framework queryset custom permissions
- Django rest framework permissions
- Django Rest Framework Permissions Conflict