Django-REST Framework Object Level Permissions and User Level Permissions

Let us cosider the scenario  of Authors, Books, Readers.

Authors are only allowed to write the books

Readers are only allowed to read the Books.

models.py

from django.utils.translation import ugettext_lazy as _
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
 
class User(AbstractBaseUser, PermissionsMixin):
    USER_TYPES = (
       ("Author", "Author"),
       ("Reader", "Reader"),
       ("Publisher", "Publisher")
    )
    username = models.CharField(max_length=100, unique=True)
    first_name = models.CharField(_("first name"), max_length=30, blank=True, null=True)
    last_name = models.CharField(_("last name"), max_length=30, blank=True, null=True)
    email = models.EmailField(_("email address"), unique=True)
    is_staff = models.BooleanField(_("staff status"), default=False)
    is_active = models.BooleanField(_("active status"), default=True)
    user_type = models.CharField(choices=USER_TYPES)
    
    def __str__(self):
       return self.email

class Book(models.Model):
    READ_OPTIONS = (
    	('YES', 'YES'),
    	('NO', 'NO')
    )
    name = models.CharField(max_length=300)
    pages = models.IntegerField()
    price = models.DecimalField(max_digits=10, decimal_places=2)
    rating = models.FloatField()
    is_allowed_to_read = models.CharField(choices=READ_OPTIONS)

    def __str__(self):
    	return self.name



permissions.py

from rest_framework.permissions import BasePermission

class IsAllowedToWrite(BasePermission):
    
    def has_permission(self, request, view):
        return request.user.user_type == "Author"


class IsAllowedToRead(BasePermission):
    
    def has_object_permission(self, request, view, obj):
        return obj.is_allowed_to_read == "YES"


views.py

from rest_framework import generics
from app.permissions import IsAllowedToWrite, IsAllowedToRead
from app.serializers import WriteBookSerializer, 


class WriteBookView(generics.CreateAPIView):
	
    serializer_class = WriteBookSerializer
    permission_classes = (IsAllowedToWrite,)


class ReadBookView(generics.RetrieveAPIView):
	
    serializer_class = ReadBookSerializer
    permission_classes = (IsAllowedToWrite,) 

Find our Django REST Framework Development Services

for more details visit rest-framework documentaion or source code github 

 

Posted On 25 January 2017 By MicroPyramid


Need any Help in your Project?Let's Talk

Latest Comments
Related Articles
Integration Of GitHub API with python django

Using Github integration, we can get the user verified email id, general information, git hub URL, id, disk usage, public, private repo's, gists and followers, ...

Continue Reading...
Extract data from PDF and all Microsoft Office files in python

The quick way to get/extract text from PDFs in Python is with the Python library "slate". Slate is a Python package that simplifies the process ...

Continue Reading...
Integration Of Linkedin API in python django

Using Linkedin integration, we can get the user verified email id, general information, work history in a less span of time, and a user can ...

Continue Reading...
open source packages

Subscribe To our news letter

Subscribe and Stay Updated about our Webinars, news and articles on Django, Python, Machine Learning, Amazon Web Services, DevOps, Salesforce, ReactJS, AngularJS, React Native.
* We don't provide your email contact details to any third parties