Our proud SaaS cloud development environment runcode.io
Back to Blog List
Django

Django-REST Framework Object Level Permissions and User Level Permissions

2022-07-25

Django-REST User Level Permissions and Object Level Permissions. User Level Permissions and Object level Permissions allow to serve customers based on their access levels or permissions. Let us consider the scenario of Authors, Books, Readers. Authors are only allowed to write the books. Readers are only allowed to read the allowed Books.

Let us consider the scenario of Authors, Books, and Readers.

Authors are only allowed to write books.

Readers are only allowed to read the Books.

models.py

from django.utils.translation import ugettext_lazy as _
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
 
class User(AbstractBaseUser, PermissionsMixin):
    USER_TYPES = (
       ("Author", "Author"),
       ("Reader", "Reader"),
       ("Publisher", "Publisher")
    )
    username = models.CharField(max_length=100, unique=True)
    first_name = models.CharField(_("first name"), max_length=30, blank=True, null=True)
    last_name = models.CharField(_("last name"), max_length=30, blank=True, null=True)
    email = models.EmailField(_("email address"), unique=True)
    is_staff = models.BooleanField(_("staff status"), default=False)
    is_active = models.BooleanField(_("active status"), default=True)
    user_type = models.CharField(choices=USER_TYPES)
    
    def __str__(self):
       return self.email


class Book(models.Model):
    READ_OPTIONS = (
      ('YES', 'YES'),
      ('NO', 'NO')
    )
    name = models.CharField(max_length=300)
    pages = models.IntegerField()
    price = models.DecimalField(max_digits=10, decimal_places=2)
    rating = models.FloatField()
    is_allowed_to_read = models.CharField(choices=READ_OPTIONS)

    def __str__(self):
      return self.name

permissions.py

from rest_framework.permissions import BasePermission

class IsAllowedToWrite(BasePermission):
    
    def has_permission(self, request, view):
        return request.user.user_type == "Author"


class IsAllowedToRead(BasePermission):
    
    def has_object_permission(self, request, view, obj):
        return obj.is_allowed_to_read == "YES"

views.py

from rest_framework import generics
from app.permissions import IsAllowedToWrite, IsAllowedToRead
from app.serializers import WriteBookSerializer, 


class WriteBookView(generics.CreateAPIView):
  
    serializer_class = WriteBookSerializer
    permission_classes = (IsAllowedToWrite,)


class ReadBookView(generics.RetrieveAPIView):
  
    serializer_class = ReadBookSerializer
    permission_classes = (IsAllowedToWrite,)

Find our Django REST Framework Development Services

for more details visit rest-framework documentation or source code Github