0

I use Django group permissions, I can assign some permission for users. Here is my test scenario:

I have a Company Model,

User1.hasPerm -> view_company, change_company, add_company, delete_company

Permissions.py:

class HasPermissions(permissions.BasePermission):
def has_permission(self, request, view):
    if request.user.has_perm('MYAPP.view_company'):
        return True
    else:
        return False
    if request.user.has_perm('MYAPP.change_company'):
        return True
    else:
        return False
    if request.user.has_perm('MYAPP.add_company'):
        return True
    else:
        return False
    if request.user.has_perm('MYAPP.delete_company'):
        return True
    else:
        return False

    return True

CompanyView.py:

class CompanyViewSet(ModelViewSet):
queryset = Company.objects.all()
filter_class = CompanyFilter
serializer_class = CompanySerializer
permission_classes = [IsAuthenticated, HasPermissions]

def get_queryset(self):
    if self.request.user.is_authenticated and self.request.user.is_active:
        company = Company.objects.filter(companyUser__exact=self.request.user)
        return company
    else:
        return Company.objects.all()

I wrote HasPermissions function to control user permissions, and this function works only CompanyView. I want to make global this function for I can control all view.

HasPermissions function is like hard coding, I want to change the more usable version to control all views.

How can ı do this?

Improve this question
2
  • 1
    It likely does not work either, since you immediately return False. So after the first else, the rest is dead code.
    – willeM_ Van Onsem
    Commented Sep 12, 2019 at 12:51
  • yes, you're right how can ı more usable this function?
    – oerbas
    Commented Sep 12, 2019 at 13:04

1 Answer 1

Reset to default
1

You do not need to write this yourself. Django already has a DjangoModelPermissions [drf-doc] for that:

This permission class ties into Django's standard django.contrib.auth model permissions. This permission must only be applied to views that have a .queryset property set. Authorization will only be granted if the user is authenticated and has the relevant model permissions assigned.

  • POST requests require the user to have the add permission on the model.
  • PUT and PATCH requests require the user to have the change permission on the model.
  • DELETE requests require the user to have the delete permission on the model.

So you can use:

class CompanyViewSet(ModelViewSet):
    queryset = Company.objects.all()
    filter_class = CompanyFilter
    serializer_class = CompanySerializer
    permission_classes = [IsAuthenticated, DjangoModelPermissions]
Improve this answer
6
  • I use your way but when ı delete the MYAPP.view_company permission from admin panel, the user still can access the company list?
    – oerbas
    Commented Sep 12, 2019 at 13:11
  • @oerbas: did you remove the permission from the user?
    – willeM_ Van Onsem
    Commented Sep 12, 2019 at 13:12
  • @oerbas: exactly what is the logic here? That a user should have any of the permissions? or all of the permissions?
    – willeM_ Van Onsem
    Commented Sep 12, 2019 at 13:14
  • if user only has MYAPP.view_company then the user only lists the company. if the user only has 'MYAPP.view_company', 'MYAPP.add_company' then the user only lists and add a company. Am ı clear?
    – oerbas
    Commented Sep 12, 2019 at 13:19
  • @oerbas: you did link the permissions to the models right? See docs.djangoproject.com/en/2.2/topics/auth/customizing/…
    – willeM_ Van Onsem
    Commented Sep 12, 2019 at 13:32

Not the answer you're looking for? Browse other questions tagged or ask your own question.