DjangoObjectPermissions behaviour #6596
Comments
|
I realize now that this is not how things are implemented, so my proposed solution doesn't work. I'm using a workaround to get a Object | Model permission like this: def has_object_permission(self, request, view, obj):
if DjangoModelPermissions.has_permission(self, request, view):
return True
queryset = self._queryset(view)
model_cls = queryset.model
user = request.user
perms = self.get_required_object_permissions(request.method, model_cls)
return user.has_perms(perms, obj)
def has_permission(self, request, view):
handler = getattr(view, request.method.lower(), None)
if handler and handler.__name__ == 'list':
return DjangoModelPermissions.has_permission(self, request, view)
return True |
|
I too found it surprising that Could there be a new |
|
If someone else wants to implement a third party package for that, then sure. I don’t really see it a strong enough use case for it myself. |
|
FWIW, in case this helps someone else, I ended up overriding I also added support for from rest_framework.permissions import DjangoObjectPermissions, SAFE_METHODS
from rest_framework.request import Request
from rest_framework.viewsets import GenericViewSet
class IsAuthenticatedDjangoObjectPermissions(DjangoObjectPermissions):
"""Allows access only to authenticated users who have the appropriate object level permissions.
"""
perms_map = DjangoObjectPermissions.perms_map
# Add default Django view permissions added in Django 2.1 and not included in DRF
# DjangoObjectPermissions as of DRF 3.9.4.
for method in SAFE_METHODS:
perms_map[method] = ['%(app_label)s.view_%(model_name)s']
def has_permission(self, request: Request, view: GenericViewSet) -> bool:
# Override DjangoModelPermissions which DjangoObjectPermissions inherits from.
# Taken from rest_framework.permissions.IsAuthenticated.
return bool(request.user and request.user.is_authenticated) |
|
#6325 will add support for the view permission. It should be merged whenever we're ramping up for the 3.11 release in December, which will add Django 3.0 support and drop support for 2.1 and below. |
Hi,
I'm having some issues with the default
DjangoObjectPermissions. The behaviour currently is not what I would expect. I can update the documentation to be more clear about the current implementation, or if you like I can create a pull request with my proposed fix.My issue is as follows. If one uses
DjangoObjectPermissions, since it extendsDjangoModelPermissions, it also checks the basic model permission (DjangoModelPermissions.has_permission). At least I think the documentation should be more clear about this, but actually I think there is a better implementation. I would expect this permission class to ONLY check for the object permissions. Current behaviour can then simply be recreated by usingDjangoObjectPermissions & DjangoModelPermissions, but this change would also allowDjangoObjectPermissions | DjangoModelPermissions(which I think is a nice default). The simplest fix would be to just addto
DjangoObjectPermissions.There is a second issue: because in some cases it raises exceptions (see
django-rest-framework/rest_framework/permissions.py
Lines 287 to 302 in db65282
I realize this could be a breaking change for many users so perhaps we can create this new permission class with a different name? Let me know what you think, I could create a PR with a change or update the docs to at least explain the current situation.
The text was updated successfully, but these errors were encountered: