CODEWITHSUNDEEP
djangodjango-rest-framework
Simen Russnes
Simen Russnes

Reputation: 2260

Django Admin permissions applied on REST API views

In the django admin interface, it is possible to specify permissions on each individual Model. The permission options for an example model Customer are:

However, these permissions do not seem to apply to REST Framework API Views (rest_framework.viewsets.ModelViewSet), implemented for Customer as follows:

class CustomerViewSet(viewsets.ModelViewSet):
    queryset = Customer.objects.all()
    serializer_class = CustomerSerializer

class CustomerSerializer(serializers.ModelSerializer):
    class Meta:
        model = Customer
        fields = '__all__'

I thought that by setting the DEFAULT_PERMISSION_CLASSES to DjangoModelPermissions these permissions would be reflected, but it does not:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.DjangoModelPermissions',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
}

Should the permissions defined in admin work in Views as well with these settings, should they not, and/or is there any way to make this happen? The benefit is that system administrators can easily define groups in the admin interface and tailor their permissions to their problem areas, so being able to define permissions in this way is very desireable. I have seen many other ways of implementing permissions, but they require from what I have seen a lot of customization on the View definitions in python.

Versions:

Upvotes: 1

Views: 1488

Answers (1)

HelenShy
HelenShy

Reputation: 336

For API views to check for groups and permissions, we can use DjangoModelPermission in our views.py as follows.

from rest_framework.permissions import DjangoModelPermissions

class CustomerViewSet(viewsets.ModelViewSet):
    queryset = Customer.objects.all()
    serializer_class = CustomerSerializer
    permission_classes = (DjangoModelPermissions, )

It restricts POST, PUT and DELETE access but allows GET access. To restrict it also

from rest_framework.permissions import DjangoModelPermissions

class CustomDjangoModelPermissions(DjangoModelPermissions):
    def __init__(self):
        self.perms_map['GET'] = ['%(app_label)s.view_%       (model_name)s']


class CustomerViewSet(viewsets.ModelViewSet):
    queryset = Customer.objects.all()
    serializer_class = CustomerSerializer
    permission_classes = (CustomDjangoModelPermissions, )

Upvotes: 6

Related Questions