django-rest-action-permissions allows you to define permissions for each action provided by your ViewSet class.
Install using pip:
$ pip install django-rest-action-permissionsThis library lets you define permissions like so:
# permissions.py
from rest_framework.permissions import (
AllowAny, BasePermission, IsAdminUser, IsAuthenticated
)
from rest_action_permissions.permissions import ActionPermission
class IsTweetOwner(BasePermission):
def has_object_permission(self, request, view, obj):
return obj.owner == request.user
class TweetPermission(ActionPermission):
# The admin user has all permissions.
enough_perms = IsAdminUser
# Corresponding permissions for each action.
create_perms = IsAuthenticated
retrieve_perms = AllowAny
list_perms = AllowAny
update_perms = IsTweetOwner
delete_perms = IsTweetOwner
retweet_perms = IsAuthenticated
undo_retweet_perms = IsAuthenticated
# General read/write permissions.
# Used if corresponding action permission hasn't been specified.
read_perms = AllowAny
write_perms = IsAuthenticated & IsTweetOwnerCorresponding ViewSet for the permissions defined above:
# views.py
from rest_framework import viewsets
from rest_framework.decorators import detail_route
from .models import Tweet
from .permissions import TweetPermission
from .serializers import TweetSerializer
class TweetViewSet(viewsets.ModelViewSet):
queryset = Tweet.objects.all()
serializer_class = TweetSerializer
permission_classes = (TweetPermission, )
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
@detail_route(methods=['POST'])
def retweet(self, request, *args, **kwargs):
...
@detail_route(methods=['POST'])
def undo_retweet(self, request, *args, **kwargs):
...The interface of this library was inspired by taiga project.