-
-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow separate permissions per View in ViewSet #1067
Comments
You could override However the more sensible way to tackle this would be to create a custom permission class that allows Take a look at the custom permissions docs and consider overriding Incidentally, usage questions are probably best directed at the discussion group. Hope that helps! :) |
IsCreationOrIsAuthenticated - great idea! Thanks :) |
I've been looking at how to implement this for a while, and the crucial thing to know is that However, a class IsCreationOrIsAuthenticated(permissions.BasePermission):
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
else:
return False
else:
return True |
Why downvote the last answer? |
The code example violates the separation of concerns that DRF tries to isolate. |
Alternatively (for Googlers etc), here's a couple of custom permissions classes with more restrictions than @kot-behemoth's suggestion (which when used alone, allows for any authenticated user to view/update/delete any user's records). When used together, these permissions permit:
They disallow:
I would expect this to be a fairly common requirement of a User API endpoint. Note: AnonCreateAndUpdateOwnerOnly relies on each record having an 'id' field. For an endpoint other than User, just change this whatever your record's user ownership field is (e.g. 'owner'). class AnonCreateAndUpdateOwnerOnly(permissions.BasePermission):
"""
Custom permission:
- allow anonymous POST
- allow authenticated GET and PUT on *own* record
- allow all actions for staff
"""
def has_permission(self, request, view):
return view.action == 'create' or request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
return view.action in ['retrieve', 'update', 'partial_update'] and obj.id == request.user.id or request.user.is_staff
class ListAdminOnly(permissions.BasePermission):
"""
Custom permission to only allow access to lists for admins
"""
def has_permission(self, request, view):
return view.action != 'list' or request.user and request.user.is_staff |
@assembledadam |
In my case, this permission is exclusively used on the 'User' endpoint (model), so the code is correct for that. It needs to be slightly modified to match your fields if not for User, as mentioned in the italics section of the post. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
If overriding the |
@serpulga |
Hi guys,
I've just updated to the latest version(2.3.7) and was exited! It is awesome!
My question is:
Can I specify permission_classes per view in ViewSet?
I want allow ALL users to create instances, but only AUTHENTICATED can view them.Please see code below:
I use the approach registering customers. Is there any feature that can help me? The code above actually not working, it checks only "IsAuthenticated" permission, so only authenticated users can access "create" view.
The text was updated successfully, but these errors were encountered: