CODEWITHSUNDEEP
djangodjango-rest-frameworkdry
guettli
guettli

Reputation: 27939

Django: Object level permissions DRY

Object level permissions

Example from http://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions

class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user

My need: Queryset of all objects a user can edit

I want to have a django-orm queryset which contains all objects which a given user can edit.

I guess I could solve this by creating a complex django-orm filter (with OR and distinct)

Not DRY

But that's not DRY. That's not DRY because I need to code the stuff twice. One time in has_object_permission() and one time in the django-orm filter.

Question

How to solve my need (queryset of all objects a user can edit) without duplication the permission checking?

Upvotes: 2

Views: 1080

Answers (1)

Linovia
Linovia

Reputation: 20986

If you want that hard to keep things DRY, you'll have to load the entire database entries and apply permission check to every one.

I doubt that's what you really want. Sometime you can't keep things DRY.

It's the same when you display data to a user. You'll usually apply basic permissions implicitly when performing the query and then ensure the full permissions are valid or not.

Upvotes: 2

Related Questions