Geek Answers Handbook

Using DjangoObjectPermissionsFilter to filter user objects using django-guardian

I managed to configure django-guardian and my django-rest-framework project as an example in drf docs , but I cannot achieve the behavior that I want. Can someone point out that I am doing something wrong or if what I want cannot be done with guardian ?

Customization

settings.py

 INSTALLED_APPS = ( ... 'guardian', 'simple', ) AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', 'guardian.backends.ObjectPermissionBackend', ) 'DEFAULT_PERMISSION_CLASSES': ( 'infrastructure.permissions.DjangoObjectPermissions', )

infrastructure.permissions.py

 from rest_framework import permissions class DjangoObjectPermissions(permissions.DjangoObjectPermissions): """ Similar to `DjangoObjectPermissions`, but adding 'view' permissions. """ perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD': ['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'], }

models.py

 class Event(models.Model): name = models.CharField(max_length=255) min_age = models.IntegerField() def __str__(self): return self.name class Meta: permissions = (('view_event', 'Can view event'),)

views.py

 class EventViewSet(viewsets.ModelViewSet): queryset = models.Event.objects.all() serializer_class = serializers.EventSerializer filter_backends = (filters.DjangoObjectPermissionsFilter,)

Expected Behavior

  • The Events list returned by EventViewSet.list contains only objects that the request user can view (the user request has permission django.auth view_event OR ('view_event', event_object) .
  • EventViewSet.details returns an Event instance only if the request user has view_event permission or permission ('view_event', event_object) .

Actual behavior

  • If the user has permission django auth view_event and permission of the guardian ('view_event', event_obj) , he can access the list routes (retrieve all entries) and details associated with event_obj .
  • If the user does not have permission to view_event authorization, but has the permission of the guardian ('view_event', event_obj) , he receives 403 in all routes (including the details route associated with event_obj with which they have permission).
  • If the user has a view_event but does not have one ('view_event', event_obj) , he can access the list route (seeing all the records), but they get the 404 route in details , regardless of which record was available.

Thanks!

+5
source share
1 answer

Well, it turns out that all views with the DjangoObjectPermissions permission DjangoObjectPermissions will allow users to see this resource if they have permissions at the model level and object level . The fact that my users can list all objects, but not retrieve them, due to a known error that has already been fixed, but is not yet in the current version.

+3
source

More articles:


All Articles