Django Rest Framework authentication - how to implement custom decorator

[Tim Nelson]

I am trying to implement TokenAuthentication using the Rest Framework, but it seems that I can't add my own custom decorators to my ViewSets because they are evaluated BEFORE the authentication.  Consider this:

    from django.utils.decorators import method_decorator

    from django.http.response import HttpResponseForbidden

    

    def require_staff(View):

        def staffOnly(function):

            def wrap(request, *args, **kwargs):

                if request.user.is_active and request.user.is_staff:

                    return function(request, *args, **kwargs)

                else:

                    return HttpResponseForbidden()

            return wrap

    

        View.dispatch = method_decorator(staffOnly)(View.dispatch)

        return View

When I try to implement this, it seems the decorator code fires first, so the authentication is never run.

    @require_staff

    class CustomerViewSet(ModelViewSet):

        model = Customer

    

        filter_class = CustomerFilter

        filter_backends = (DjangoFilterBackend,)

Since request.user is never set, introducing the decorator breaks authentication.

Am I missing something here, or what is the proper way to implement this customization?

[Tim Nelson]

It has been said that I should DRF Permissions for this, does that make sense?

[Zoltan Szalai]

you can use DRF's IsAdminUser.
it's documented here:
http://www.django-rest-framework.org/api-guide/permissions
code is here:
https://github.com/tomchristie/django-rest-framework/blob/master/rest_framework/permissions.py#L60

--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.