Django REST - Serialize User.get_all_permissions

Question

I am building an application with a Django Rest backend, and a VueJS front end and am working through authorization and authentication. I have the authentication working well, but am a bit stuck on letting the front end (VueJS) know what the user has authorization to do in terms of Add/Change/View/Delete for a model. For example, if a user cannot add a customer, I don't want to show the 'Add Customer button'.

Working through the Django docs, and solutions on StackOverflow, I believe the simplest way is to send the user's permissions from Django to VueJS.

The 'best'/'simplest' way I can see to get the permissions is with the following:

    userModel = User.objects.get(request.user)
    return User.get_all_permissions(userModel)

Where I am stuck is exactly where to put this logic and how to serialize it. Does the above belong in the View, Serializer, other? Up until now, I have only been working with Models (ModelSerializers and ModelViews), but I don't believe this falls into this category.

Thanks in advance...

Answer 1

You should add this logic to views, because the views are used to implement these kinds of logic.

Actually, you don't want to use serializers here, because of the response of .get_all_permissions() method is already in serialized form

Apart from that, your provided code is not good (it's clearly bad). It should be as below,

return request.user.get_all_permissions()

because, you'll get current logged-in user's instance through request.user, to get his/her permissions, you all need to call the get_all_permissions() method

Example

from rest_framework.decorators import api_view, permission_classes
from rest_framework.response import Response
from rest_framework.permissions import IsAuthenticated


@permission_classes(IsAuthenticated, )
@api_view()
def my_view(request):
    logged_in_user = request.user
    return Response(data=logged_in_user.get_all_permissions())