Cannot Set IsOwner in permission_classes
352 views
Skip to first unread message
juefri...@gmail.com
Mar 31, 2015, 11:03:03 AM3/31/15
to django-res...@googlegroups.com
Hej!
I tried to reduced rights on an django object using the rest_framework - ModelViewSet
I also created two users over "localhost:8000/admin" - fjue, rede
If i create a Project using user "fjue" i wont make it visible to user "rede"
Referring to http://www.django-rest-framework.org/api-guide/permissions/#how-permissions-are-determined, an Exception shall be called if user is not allowed to do something here.
For some reason, both users "fjue" and "rede" can CRUD (create, retrieve, update, delte) the object "Project".
How come? What did I wrong? Any suggestions?
It works fine if i use
views.py
permission.py
I tried to reduced rights on an django object using the rest_framework - ModelViewSet
I also created two users over "localhost:8000/admin" - fjue, rede
If i create a Project using user "fjue" i wont make it visible to user "rede"
Referring to http://www.django-rest-framework.org/api-guide/permissions/#how-permissions-are-determined, an Exception shall be called if user is not allowed to do something here.
For some reason, both users "fjue" and "rede" can CRUD (create, retrieve, update, delte) the object "Project".
How come? What did I wrong? Any suggestions?
It works fine if i use
...
permission_classes(permissions.IsAuthenticatedOrReadOnly,)
...
views.py
from app.serializer import ProjectSerializer
from app.models import Project
from django.shortcuts import render
from django.contrib.auth.models import User
from rest_framework import viewsets
class ProjectViewSet(viewsets.ModelViewSet):
"""
This viewset automatically provides
- 'list'
- 'create'
- 'retrieve'
- 'update'
- 'delete'
actions.
"""
queryset = Project.objects.all()
serializer_class = ProjectSerializer
permission_classes = (IsOwner,)
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
permission.py
from rest_framework import permissions
class IsOwner(permissions.BasePermissions):
"""
Custom permission to only allow owner of object to
read/write it.
"""
def has_object_permissions(self, request, view, obj):
# Read and write permissions are allowed to owner.
return obj.owner == request.user
juefri...@gmail.com
Mar 31, 2015, 12:18:34 PM3/31/15
to django-res...@googlegroups.com
Me again..
The custom permission IsOwnerOrReadOnly also doesn't work!
I can delete objects even if I'm not logged in! How can this be? I can provide virtualenv and project if somebody is interested...
The custom permission IsOwnerOrReadOnly also doesn't work!
I can delete objects even if I'm not logged in! How can this be? I can provide virtualenv and project if somebody is interested...
Filipe Ximenes
Mar 31, 2015, 1:00:22 PM3/31/15
to django-res...@googlegroups.com
Since you are only overwriting "has_object_permission", your custom permission is expected to only work on retrieve, update and delete. So being able to "create" and "list" seems to be the correct behaviour. Overwrite "has_permission" to cover those methods.
The views.py file is missing the import for IsOwner, are you sure you are importing from the correct place?
Also, are you overwriting the "get_object" method? If so, you need to explicitly call "check_object_permissions". (there's a note about this in the same link you sent)
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
| | Filipe Ximenes +55 (81) 8245-9204 Vinta Software Studio http://www.vinta.com.br |
juefri...@gmail.com
Apr 2, 2015, 1:04:11 AM4/2/15
to django-res...@googlegroups.com
Thanks for your reply!
I'm using permissions.IsAuthenticated for logged in users.
how to use "def has_permissions(self, request, view)" to check if user is allowed? is there a method to theck something like "request.user.exists()"?
I'm using permissions.IsAuthenticated for logged in users.
how to use "def has_permissions(self, request, view)" to check if user is allowed? is there a method to theck something like "request.user.exists()"?
from django.shortcuts import render, get_object_or_404
from setup.permissions import IsOwnerOrReadOnly, IsOwner, IsReadOnly
from rest_framework import permissions
from setup.models import Project
class ProjectViewSet(viewsets.ModelViewSet):
"""
This vieset automatically provides 'list', 'create', 'retrieve',
'update' and 'destroy' actions.
"""
queryset = Project.objects.all()
serializer_class = ProjectSerializer
permission_classes = (permissions.IsAuthenticated,
IsOwner,
)
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
def get_object(self):
obj = get_object_or_404(self.get_queryset())
self.check_object_permissions(self.request, obj)
return obj
Filipe Ximenes
Apr 2, 2015, 9:04:47 AM4/2/15
to django-res...@googlegroups.com
Well, permission "IsAuthenticated" is supposed to do exactly that, verify if there is a logged user in the request (if the user is authenticated, it does exists).
Besides that, I have no clue why your permissions aren't working. Can you send me the project?
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
juefri...@gmail.com
Apr 8, 2015, 5:03:17 AM4/8/15
to django-res...@googlegroups.com
Hej Filipe!
Sorry for my late Answer!
Yes... You can have my Project of Course!
I removed dp.sqlite3 and virtualenv .. .you might install missing dependencies, and run the
- python manage.py migrate
- python manage.py createsuperuser
- ...
Thx for your support!
Filipe Ximenes
Apr 8, 2015, 10:16:12 AM4/8/15
to django-res...@googlegroups.com
Alright. First thing I found: the correct method to overwrite when creating a custom permission is:
def has_object_permission(self, request, view, obj):
and not "has_object_permissions" (with an 's' in the end) as you are doing in the project. Fix this and tell me if things work. =)
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
juefri...@gmail.com
Apr 8, 2015, 11:06:11 AM4/8/15
to django-res...@googlegroups.com
Thx Filipe!!!! That's a good one :D
Am Mittwoch, 8. April 2015 16:16:12 UTC+2 schrieb Filipe Ximenes:
Alright. First thing I found: the correct method to overwrite when creating a custom permission is:def has_object_permission(self, request, view, obj):and not "has_object_permissions" (with an 's' in the end) as you are doing in the project. Fix this and tell me if things work. =)
On Wed, Apr 8, 2015 at 6:03 AM, <juefri...@gmail.com> wrote:
Hej Filipe!Sorry for my late Answer!Yes... You can have my Project of Course!I removed dp.sqlite3 and virtualenv .. .you might install missing dependencies, and run the
- python manage.py migrate
- python manage.py createsuperuser
- ...
Thx for your support!
--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsub...@googlegroups.com.
Filipe Ximenes
Apr 8, 2015, 11:18:24 AM4/8/15
to django-res...@googlegroups.com
ahahhahaha good one!
Tell me if something else comes up.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages