DjangoModelPermissions
In DjangoModelPermissions class, the authentication is granted only if the user is authenticated and has the relevant model permissions assigned. The model permissions are as follows
- The user must have the add permission on the model to make POST requests.
- The user must have the change permission on the model to make PUT and PATCH requests.
- The user must have the delete permission on the model to make DELETE requests.
By default, the class permits GET requests for authenticated users. DjangoModelPermissions class ties into Django’s standard django.contrib.auth model permissions. It must only be applied to views that have a .queryset property or get_queryset() method.
You can import the DjangoModelPermissions class.
from rest_framework.permissions import DjangoModelPermissions
Next, replace the RobotDetail and RobotList class with the below code.
Python3
class RobotList(generics.ListCreateAPIView): permission_classes = [DjangoModelPermissions] queryset = Robot.objects.all() serializer_class = RobotSerializer name = 'robot-list' class RobotDetail(generics.RetrieveUpdateDestroyAPIView): permission_classes = [DjangoModelPermissions] queryset = Robot.objects.all() serializer_class = RobotSerializer name = 'robot-detail' |
Let’s try to create a robot by providing user credentials. The HTTPie command as follows:
http -a “sonu”:”sn@pswrd” POST :8000/robot/ name=”IRB 140″ robot_category=”Articulated Robots” currency=”USD” price=35000 manufacturer=”ABB” manufacturing_date=”2021-01-10 00:00:00+00:00″
Output
You can notice, permission to create a robot is denied. This is because we haven’t set model-level permission for the given user. To set permission to add a robot, you can log in through the admin panel as a superuser and add permission by selecting the user under the Users section. Finally, save the changes. Sharing the screenshot below:
Let’s try again the same HTTPie command.
http -a “sonu”:”sn@pswrd” POST :8000/robot/ name=”IRB 140″ robot_category=”Articulated Robots” currency=”USD” price=35000 manufacturer=”ABB” manufacturing_date=”2021-01-10 00:00:00+00:00″
Output
Adding Permission in API – Django REST Framework
There are many different scenarios to consider when it comes to access control. Allowing unauthorized access to risky operations or restricted areas results in a massive vulnerability. This highlights the importance of adding permissions in APIs.
Django REST framework allows us to leverage permissions to define what can be accessed and what actions can be performed in a meaningful or common way. The permission checks always run at the beginning of every view. It uses the authentication information in the ‘request.user’ and ‘request.auth’ properties for each incoming request. If the permission check fails, then the view code will not run.
Note: Together with authentication, permissions determine whether to grant or deny access for an incoming request. In this section, we will combine Basic Authentication with Django REST framework permission to set access control. You can refer Browsable API in Django REST Framework for Models, Serializers, and Views
Let’s dig deep into the Django REST framework permissions.
- AllowAny
- IsAuthenticated
- IsAdminUser
- IsAuthenticatedOrReadOnly
- DjangoModelPermissions
- DjangoModelPermissionsOrAnonReadOnly
- DjangoObjectPermissions
Contact Us