Django-REST Framework Object Level Permissions and User Level Permissions

Let us cosider the scenario  of Authors, Books, Readers.

Authors are only allowed to write the books

Readers are only allowed to read the Books.

models.py

from django.utils.translation import ugettext_lazy as _
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
 
class User(AbstractBaseUser, PermissionsMixin):
    USER_TYPES = (
       ("Author", "Author"),
       ("Reader", "Reader"),
       ("Publisher", "Publisher")
    )
    username = models.CharField(max_length=100, unique=True)
    first_name = models.CharField(_("first name"), max_length=30, blank=True, null=True)
    last_name = models.CharField(_("last name"), max_length=30, blank=True, null=True)
    email = models.EmailField(_("email address"), unique=True)
    is_staff = models.BooleanField(_("staff status"), default=False)
    is_active = models.BooleanField(_("active status"), default=True)
    user_type = models.CharField(choices=USER_TYPES)
    
    def __str__(self):
       return self.email

class Book(models.Model):
    READ_OPTIONS = (
      ('YES', 'YES'),
      ('NO', 'NO')
    )
    name = models.CharField(max_length=300)
    pages = models.IntegerField()
    price = models.DecimalField(max_digits=10, decimal_places=2)
    rating = models.FloatField()
    is_allowed_to_read = models.CharField(choices=READ_OPTIONS)

    def __str__(self):
      return self.name

permissions.py

from rest_framework.permissions import BasePermission

class IsAllowedToWrite(BasePermission):
    
    def has_permission(self, request, view):
        return request.user.user_type == "Author"


class IsAllowedToRead(BasePermission):
    
    def has_object_permission(self, request, view, obj):
        return obj.is_allowed_to_read == "YES"

views.py

from rest_framework import generics
from app.permissions import IsAllowedToWrite, IsAllowedToRead
from app.serializers import WriteBookSerializer, 


class WriteBookView(generics.CreateAPIView):
  
    serializer_class = WriteBookSerializer
    permission_classes = (IsAllowedToWrite,)


class ReadBookView(generics.RetrieveAPIView):
  
    serializer_class = ReadBookSerializer
    permission_classes = (IsAllowedToWrite,)

Find our Django REST Framework Development Services

for more details visit rest-framework documentaion or source code github 

Posted On 25 January 2017 By MicroPyramid


Previous post Next post

Need any Help in your Project?Let's Talk

Latest Comments

Django-CRM :Customer relationship management based on Django

Django-blog-it : django blog with complete customization and ready to use with one click installer Edit

Django-webpacker : A django compressor tool

Django-MFA : Multi Factor Authentication

Docker-box : Web Interface to manage full blown docker containers and images

 More...
How to create Periodic Tasks with Django Celery?

Celery provides asynchronous job queues, which allows you to run Python functions in the background. Celery is on the Python Package Index (PyPi), and can ...

Continue Reading...
Improving page speed score in Google Page Score test- PART1

Google's Page Speed Insights measures the performance of a page for mobile devices and desktop devices. It fetches the url twice, once with a mobile ...

Continue Reading...
Deploying Your Django app on Heroku

Heroku is a platform as a service (PaaS) that enables developers to build and run applications entirely in the cloud.
1. installation
2. Creating and ...

Continue Reading...

Subscribe To our news letter

Subscribe and Stay Updated about our Webinars, news and articles on Django, Python, Machine Learning, Amazon Web Services, DevOps, Salesforce, ReactJS, AngularJS, React Native.
* We don't provide your email contact details to any third parties