Reputation: 81
Default permissions class for DRF
Django rest framework currently has IsAdminUseras a permissions class is there also a corresponding IsOwnerOrAdminUser? Something to that affect? It seems like there should be something that only allows an object to have CRUD functionality if the current user is the one that created it. I'm using DRF with djangorestframework-jwt
Upvotes: 1
Views: 898
Answers (2)
Reputation: 1267
permissions.py
from rest_framework import permissions
class IsOwnerOrAdminUser(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.owner == request.user or request.user.is_staff
views.py
from .permissions import IsOwnerOrAdminUser
class UserAPIView(APIView):
permission_classes = (IsOwnerOrAdminUser, )
Upvotes: 3
Reputation: 47354
You can find full list of rest-framework permissions in docs. There is DjangoModelPermissionsOrAnonReadOnly which allows no-safe methods only for users with add, change and delete permissions on models.
If it's not fit your requrements you can implement your own permission class something like this:
class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.owner == request.user or request.user.is_superuser
This method is documented here.
Upvotes: 3
Related Questions
- Django DRF: @permission_classes not working
- Django Rest Framework permission_classes not working
- Create custom permission classes
- Django Rest Framework: Custom IsReadOnly Permission
- Custom Permissions in Django Rest Framework
- DRF Custom Permission is not firing
- How to have different permission classes for methods in DRF
- Django DRF role level permission
- DRF Custom permission
- DRF permission not taking effect