Django – Custom permissions for function based views
Question:
how can I write custom permissions for a function based view? I am using the REST framework, and I have written a ciphertext encryption/decryption API. I have one function based view for each key (key-detail
) which I would like to only make available to the owner of that key. I know that when using class based views, it is enough to define permission_classes
, but how do I do this for function based views? I have tried using the @permission_classes
decorator, but it is not working for my custom permission, which is written as so:
class IsOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to access it.
"""
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
Answers:
It seems like it’s a known issue, has_object_permission
is not supported when using function based views, it’s reported here.
If you would like to call has_permission
, you should be able to do so using the permission_classes
decorator as shown in the documentation
@api_view(['GET'])
@permission_classes((IsAuthenticated, ))
def example_view(request, format=None):
content = {
'status': 'request was permitted'
}
return Response(content)
I agree with the @Forge answer but If you still want to accomplish such things. You can follow this-
@api_view(['ANY_METHOD'])
@permission_classes([IsAuthenticated])
def model_delete_view(request, pk, *args, **kwargs):
obj = MyModel.objects.filter(pk=pk)
if not obj.exists():
return Response(
{'message': 'MyModel not found'},
status=status.HTTP_404_NOT_FOUND
)
obj = obj.filter(user=request.user)
if not obj.exists():
return Response(
{'message': 'You are not authorizated'},
status=status.HTTP_403_FORBIDDEN
)
obj.delete()
return Response({'message': 'MyModel deleted'}, status=status.HTTP_200_OK)
You have to add these words before def function_name ():
from rest_framework.decorators import authentication_classes
@authentication_classes([TokenAuthentication])
def func_name (request):
# Enter your code here.
Take careful in square brackets
how can I write custom permissions for a function based view? I am using the REST framework, and I have written a ciphertext encryption/decryption API. I have one function based view for each key (key-detail
) which I would like to only make available to the owner of that key. I know that when using class based views, it is enough to define permission_classes
, but how do I do this for function based views? I have tried using the @permission_classes
decorator, but it is not working for my custom permission, which is written as so:
class IsOwner(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to access it.
"""
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
It seems like it’s a known issue, has_object_permission
is not supported when using function based views, it’s reported here.
If you would like to call has_permission
, you should be able to do so using the permission_classes
decorator as shown in the documentation
@api_view(['GET'])
@permission_classes((IsAuthenticated, ))
def example_view(request, format=None):
content = {
'status': 'request was permitted'
}
return Response(content)
I agree with the @Forge answer but If you still want to accomplish such things. You can follow this-
@api_view(['ANY_METHOD'])
@permission_classes([IsAuthenticated])
def model_delete_view(request, pk, *args, **kwargs):
obj = MyModel.objects.filter(pk=pk)
if not obj.exists():
return Response(
{'message': 'MyModel not found'},
status=status.HTTP_404_NOT_FOUND
)
obj = obj.filter(user=request.user)
if not obj.exists():
return Response(
{'message': 'You are not authorizated'},
status=status.HTTP_403_FORBIDDEN
)
obj.delete()
return Response({'message': 'MyModel deleted'}, status=status.HTTP_200_OK)
You have to add these words before def function_name ():
from rest_framework.decorators import authentication_classes
@authentication_classes([TokenAuthentication])
def func_name (request):
# Enter your code here.
Take careful in square brackets