DEVHIDE
Login Or Sign up

DRF ViewSet operation authorization with rules

281 Views Asked by At

Considering the following model

class MyUser(AbstractBaseUser):
    ADMIN = 0
    TEACHER = 100
    STUDENT = 200
    UNSPECIFIED = 256

    USER_TYPE_CHOICES = (
        (ADMIN, 'admin'),
        (TEACHER, 'teacher'),
        (STUDENT, 'student'),
        (UNSPECIFIED, 'unspecified')
    )
    ...
    user_type = models.IntegerField(db_column='userType', choices=USER_TYPE_CHOICES, blank=True, default=UNSPECIFIED)

And the following ViewSet

class CourseViewSet(ViewSet):

    def create(self, request):
        serializer = CourseSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=201)
        return Response(serializer.errors, status=400)

Using django-rules, how can the create() operation in CourseViewSet be restricted to only users of user_type TEACHER?

python django django-rest-framework authorization django-rules
Original Q&A
1

There are 1 best solutions below

0
Anton Pomieshchenko On BEST ANSWER

If you want to auto apply permissions defined in your model you can use

in your course model something like this

from rules import predicates

@predicates.predicate()
def check_teacher(user):
    if not hasattr(user, 'user_type'):
        return False

    if user.user_type == 'teacher':
        return True

    return False


class Course(models.Model):
    ....
    class Meta:
        rules_permissions = {
            "add": check_teacher,
            "read": rules.always_allow,
        }

and your view

from rules.contrib.rest_framework import AutoPermissionViewSetMixin

class CourseViewSet(AutoPermissionViewSetMixin, viewsets.ViewSet):
    def get_queryset(self):
        return Course.objects.all()

    def create(self, request):
        serializer = CourseSerializer(data=request.data)
        if serializer.is_valid():
            serializer.save()
            return Response(serializer.data, status=201)
        return Response(serializer.errors, status=400)

Related Questions in PYTHON

Related Questions in DJANGO

Related Questions in DJANGO-REST-FRAMEWORK

Related Questions in AUTHORIZATION

Related Questions in DJANGO-RULES

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.