Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
3.7k views
in Technique[技术] by (71.8m points)

python - Change permission on the basis of button chosen in Django

I am working on DRF and using viewsets for creating APIs. Here I am having one problem: Suppose, I have two buttons in a form i.e. Employee and Manager. If the user clicked on Employee, then it has access to only GET request and if he clicked on Manager, then it has POST, PUT, PATCH permissions.

models.py

class Employee(models.Model):
    emp_id = models.AutoField(primary_key=True)
    emp_name = models.CharField(max_length=30)
    email = models.EmailField(max_length=254, unique=True)
    position = models.CharField(max_length=30)
    team = models.CharField(max_length=30)
    phone = models.CharField(max_length=20, unique=True)

viewsets.py

class EmpViewSet(viewsets.ModelViewSet):
    serializer_class = EmployeeSerializer
    queryset = Employee.objects.all()
    permission_classes = [OfficeEngineerPermission]

serializers.py

class EmployeeSerializer(serializers.ModelSerializer):
    class Meta:
        model = Employee
        fields = '__all__'

I tried to write custom permission but it doesn't work.

custom_permiss.py

SAFE_METHODS = ['GET', 'POST', 'PUT', 'PATCH', 'HEADER', 'OPTIONS']
class OfficeEngineerPermission(BasePermission):
    def has_permission(self, request, view):
        if (request.method in SAFE_METHODS and request.user == 'OfficeEngineer'):
            return True
        return Response({'message':'This is not allowed'})

I read all things but getting stuck. Please suggest!


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

You can override the viewsets get_permissions() method and define a permission for each of the viewset actions

https://www.django-rest-framework.org/api-guide/viewsets/#viewset-actions

For example, I did a quick test with the following:

class MyModelViewset(viewsets.ModelViewSet):
    serializer_class = MyModelSerializer
    model = MyModel

    def get_permissions(self):
        if self.action == "create":
            self.permission_classes = [IsNotSuperUser]
        elif self.action == "update":
            self.permission_classes = [IsTeacher]
        elif self.action == "partial_update":
            self.permission_classes = [IsNotSuperUser]
        elif self.action == "list":
            self.permission_classes = [IsSuperUser, IsAuthenticated]
        elif self.action == "retrieve":
            self.permission_classes = [IsSuperUser, IsAuthenticated]
        return super(self.__class__, self).get_permissions()
   

With this you can control permissions for each of the HTTP verbs.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...