如何在 DRF ModelViewSet 中为单独的请求方法设置权限？

Question

I'm fairly new to Django and Django Rest Framework and I can't figure out why my code isn't working. I have a Biz model that has a few fields:

class Biz(models.Model):
    uuid = models.UUIDField(default=uuid.uuid4, editable=False)
    title = models.CharField(max_length=200)
    description = models.TextField()
    address = models.CharField(max_length=255, blank=True)
    city = models.CharField(max_length=100)
    phone = PhoneNumberField()

which I serializer using ModelSerializer:

class BizSerializer(serializers.ModelSerializer):
    class Meta:
        model = Biz
        fields = "__all__"

And I use ModelViewSet to have an endpoint for it:

class BizViewSet(viewsets.ModelViewSet):
    queryset = Biz.objects.all()
    authentication_classes = (authentication.TokenAuthentication,)
    permission_classes = [HasGroupPermission]
    required_groups = {
        "GET": ["__all__"],
        "POST": ["member", "biz_post"],
        "PUT": ["member", "biz_edit"],
        "PATCH": ["member", "biz_edit"],
    }

    serializer_class = BizSerializer

You probably noticed HasGroupPermission . It is a custom permission I made to confirm the requesting user is in required group(s) the code is:

def is_in_group(user, group_name):
    """
    Takes a user and a group name, and returns `True` if the user is in that group.
    """
    try:
        return Group.objects.get(name=group_name).user_set.filter(id=user.id).exists()
    except Group.DoesNotExist:
        return None


class HasGroupPermission(permissions.BasePermission):
    """
    Ensure user is in required groups.
    """

    def has_permission(self, request, view):
        # Get a mapping of methods -> required group.
        required_groups_mapping = getattr(view, "required_groups", {})

        # Determine the required groups for this particular request method.
        required_groups = required_groups_mapping.get(request.method, [])

        # Return True if the user has all the required groups or is staff.
        return all(
            [
                is_in_group(request.user, group_name)
                if group_name != "__all__"
                else True
                for group_name in required_groups
            ]
        ) or (request.user and request.user.is_staff)

However, when I make a GET request, the permission function works like it's supposed to and allows everyone to make the request, and when i make a POST request, the permission function also works perfectly (if user isn't in both "member" and "biz_post" groups the request is denied). The problem arises when I try other methods such as PUT, PATCH, and DELETE. Why is this issue happening? Half the methods work and the other half (sorta) don't. My knowledge in DRF is limited at the moment, and I can't seem to solve the issue.

Answer 1

I realized my problem which I found very silly. My BizViewSet is actually a ViewSet and I didn't realize that I have to make PATCH, PUT, and DELETE requests to the object link (as in localhost:8000/api/biz/$id). Since my User serializer isn't a ViewSet I thought the patch method works the same way which was I pass a primary key in JSON along with the data I wanted to patch but ViewSets are different and I didn't know that. Silly.

Answer 2

Hi you can use DjangoModelPermissions instead of HasGroupPermission

(at the first you must import it)

from rest_framework.permissions import DjangoModelPermissions

This permission check that user have permission for PUT, POST and DELETE

All user have GET permission

You must set permission for user in admin or set permission for group of user

I hope it helps you

Answer 3

has_permission method not provide object-level permission and PUT and PATCH need object-level permission.

You must create object-level permissions, that are only run against operations that affect a particular object instance by using has_object_permission method of permissions.BasePermission class.

See this link .

Hope it helped.