1. Anuncie Aqui ! Entre em contato fdantas@4each.com.br
Anuncie aqui Patrocinador Anuncios

[Python] Custom permissions in rests framework

Discussão em 'Python' iniciado por Stack, Outubro 4, 2024 às 22:22.

  1. Stack

    Stack Membro Participativo

    I need permissions for my app in DRF.

    Input:


    • noauthenticated users can only read publication and images


    • authenticated users can create publications and add images


    • authorized users can edit and delete publications and images for which they are authors


    • admin user can do all actions but edit content

    Models:

    class Publication(models.Model):
    pub_text = models.TextField(null=True, blank=True)
    pub_date = models.DateTimeField(auto_now_add=True)
    pub_author = models.ForeignKey(User, on_delete=models.CASCADE)

    class Image(models.Model):
    image = models.ImageField(upload_to='images', null=True)
    image_to_pub = models.ForeignKey(Publication, on_delete=models.CASCADE, null=True, related_name='images')


    Views:

    class PublicationViewSet(viewsets.ModelViewSet):
    queryset = Publication.objects.all()
    serializer_class = PublicationSerializer
    permission_classes = [PublicPermission]


    class ImageViewSet(viewsets.ModelViewSet):
    queryset = Image.objects.all()
    serializer_class = ImageSerializer
    permission_classes = [ImagePermission]


    Permissions:

    class ImagePermission(BasePermission):

    edit_methods = ['PUT', 'PATCH']

    def has_permission(self, request, view):
    if request.method in SAFE_METHODS:
    return True
    if request.user.is_authenticated:
    return True

    def has_object_permission(self, request, view, obj):

    if request.user.is_superuser:
    return True

    if request.method in SAFE_METHODS:
    return True

    if request.user.id == Publication.objects.get(id=obj.image_to_pub_id).pub_author_id:
    return True

    if request.user.is_staff and request.method not in self.edit_methods:
    return True

    return False


    class ImageAuthorPermission(BasePermission):
    def has_object_permission(self, request, view, obj):
    if request.user.id == Publication.objects.get(id=obj.image_to_pub_id).pub_author_id:
    return True
    return False


    Now it works as i described above. But i'm mot sure if this is good practice.

    I mean class <ImagePermission>. There are two times check if method in SAFE_METHODS.

    If i delete that check out from <has_permission>, unauthenticated users do not have ReadOnly rights.

    If i delet that check out from <has_object_permission>, authenticated users do not have Edit and Delete rights.

    I'm sure there is beter way to customise this permissions. Isn't there?

    Also i tryed to check if current user has object permission to images which related to publication for which user was author. This works but is there standard practice how to check permissions to related objects? I tryed to delete check

    if request.user.id == Publication.objects.get(id=obj.image_to_pub_id).pub_author_id:


    out of <ImagePermission> and combine both <ImagePermission> and <ImageAuthorPermission> classes in a <permission_classes> list. Used & and | operators, but did not get success.

    Continue reading...
    Stack, Outubro 4, 2024 às 22:22
    #1

Compartilhe esta Página