authenticated user specific private fields

[Zoltán Szalai]

Hi,

How would you handle the below scenario on a serializer (and/or any
other) level?


John, Jack and James are managers of a vehicle fleet. The fleet produces
trips.

The real trip data looks like this (it's far more compilcated in real
but this is enough to demonstrate the problem):
{
"id": 1,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Work"
},
{
"id": 2,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Private"
},
{
"id": 3,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Work"
},
{
"id": 4,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Private"
}


John should see:
{
"id": 1,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Work"
},
{
"id": 2,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Private"
},
{
"id": 3,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Work"
},
{
"id": 4,
"driver": "Jack",
"start_location_address": "",
"end_location_address": "",
"category": "Private"
}

Jack should see:
{
"id": 1,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Work"
},
{
"id": 2,
"driver": "John",
"start_location_address": "",
"end_location_address": "",
"category": "Private"
},
{
"id": 3,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Work"
},
{
"id": 4,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Private"
}


James should see:
{
"id": 1,
"driver": "John",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "John's home",
"category": "Work"
},
{
"id": 2,
"driver": "John",
"start_location_address": "",
"end_location_address": "",
"category": "Private"
},
{
"id": 3,
"driver": "Jack",
"start_location_address": "J&J&J Ltd.",
"end_location_address": "Jack's home",
"category": "Work"
},
{
"id": 4,
"driver": "Jack",
"start_location_address": "",
"end_location_address": "",
"category": "Private"
}


So the private fields are "start_location_address" and
"end_location_address". They should only be available for the driver of
the trip if the trip is private.
Removing the private fields is also ok instead of returning empty strings.


I'm thinking on something like this but it feels a bit evil:
Inside the __init__ of the serializer I'd do something like this:

is_many = getattr(self.instance, "id", None) is None
if is_many:
objects = self.instance
else:
try:
objects = [self.instance]
except IndexError:
objects = []

request = self.context['request']
request_user = request.user

for o in objects:
if o.category == 'Private' and o.driver != request_user:
o.start_location_address = "" # or delattr(o,
"start_location_address")
o.end_location_address = "" # or delattr(o,
"end_location_address")


Is there a clean(er) way to handle this?
What about caching etc.?
What do you think in general?

Thanks in advance
Zoltan Szalai

[Alex Scott]

I think it might be best to just use two serializers and override get_serializer_class:

http://www.django-rest-framework.org/api-guide/generic-views/#get_serializer_classself

I think it'd end up looking pretty similar to your current solution though.

[Norbert Mate]

I would do this with serializer method field:http://www.django-rest-framework.org/api-guide/fields/#serializermethodfield

So instead of doing this check in the init  as you do I would do it in a get_start_location_address and get_end_location_address