DRF ViewSet operation authorization with rules
Question:
Considering the following model
class MyUser(AbstractBaseUser):
ADMIN = 0
TEACHER = 100
STUDENT = 200
UNSPECIFIED = 256
USER_TYPE_CHOICES = (
(ADMIN, 'admin'),
(TEACHER, 'teacher'),
(STUDENT, 'student'),
(UNSPECIFIED, 'unspecified')
)
...
user_type = models.IntegerField(db_column='userType', choices=USER_TYPE_CHOICES, blank=True, default=UNSPECIFIED)
And the following ViewSet
class CourseViewSet(ViewSet):
def create(self, request):
serializer = CourseSerializer(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=201)
return Response(serializer.errors, status=400)
Using django-rules, how can the create() operation in CourseViewSet be restricted to only users of user_type TEACHER?
Answers:
If you want to auto apply permissions defined in your model you can use
in your course model something like this
from rules import predicates
@predicates.predicate()
def check_teacher(user):
if not hasattr(user, 'user_type'):
return False
if user.user_type == 'teacher':
return True
return False
class Course(models.Model):
....
class Meta:
rules_permissions = {
"add": check_teacher,
"read": rules.always_allow,
}
and your view
from rules.contrib.rest_framework import AutoPermissionViewSetMixin
class CourseViewSet(AutoPermissionViewSetMixin, viewsets.ViewSet):
def get_queryset(self):
return Course.objects.all()
def create(self, request):
serializer = CourseSerializer(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=201)
return Response(serializer.errors, status=400)
Considering the following model
class MyUser(AbstractBaseUser):
ADMIN = 0
TEACHER = 100
STUDENT = 200
UNSPECIFIED = 256
USER_TYPE_CHOICES = (
(ADMIN, 'admin'),
(TEACHER, 'teacher'),
(STUDENT, 'student'),
(UNSPECIFIED, 'unspecified')
)
...
user_type = models.IntegerField(db_column='userType', choices=USER_TYPE_CHOICES, blank=True, default=UNSPECIFIED)
And the following ViewSet
class CourseViewSet(ViewSet):
def create(self, request):
serializer = CourseSerializer(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=201)
return Response(serializer.errors, status=400)
Using django-rules, how can the create() operation in CourseViewSet be restricted to only users of user_type TEACHER?
If you want to auto apply permissions defined in your model you can use
in your course model something like this
from rules import predicates
@predicates.predicate()
def check_teacher(user):
if not hasattr(user, 'user_type'):
return False
if user.user_type == 'teacher':
return True
return False
class Course(models.Model):
....
class Meta:
rules_permissions = {
"add": check_teacher,
"read": rules.always_allow,
}
and your view
from rules.contrib.rest_framework import AutoPermissionViewSetMixin
class CourseViewSet(AutoPermissionViewSetMixin, viewsets.ViewSet):
def get_queryset(self):
return Course.objects.all()
def create(self, request):
serializer = CourseSerializer(data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=201)
return Response(serializer.errors, status=400)