I've designed a RBAC method in a Django project using the following concept:
- Declare an attribute
permission_rolesin the View/Viewset body - This attribute receives information regarding the user roles that can access each method/action of the view (e.g.:
'create': (RoleChoices.ADMIN))
Then I had to think how to inform the frontend about role capabilities.
I've thought of using a new model class Permission that stores an array of roles and have an unique name identifier (e.g.: Permission(action="user_management_list", roles=[1,2,3]))
In order to populate this model, I've used the autodiscover Django's method + a decorator that goes above my view methods/actions:
@allowed_roles('user_management_list', [RoleChoices.ADMIN])
def list(self, request, *args, **kwargs):
return super().list(request, *args, **kwargs)
Now I was thinking of a way to merge both functionalities, simplifying the RBAC custom permission by using the action name + the request user role and query directly to the DB (later I'll use also a cache strategy to reduce DB load).
But the problem is, how could I access the decorator's first param (its the action name)?