This package provides utilities for defining fine-grained permissions in the Django Rest Framework based API views.
pip install drf-fancy-permissions
Use the fancy_permissions.model_action_permission_factory, fancy_permissions.object_action_permission_factory and fancy_permissions.parent_object_action_permission_factory functions in order to define authorization rules.
from rest_framework.mixins import (
CreateModelMixin,
ListModelMixin,
RetrieveModelMixin,
UpdateModelMixin,
)
from rest_framework.viewsets import ViewSet
from fancy_permissions import (
model_action_permission_factory,
object_action_permission_factory,
parent_object_action_permission_factory,
)
class SomeViewSet(
CreateModelMixin,
RetrieveModelMixin,
UpdateModelMixin,
ListModelMixin,
ViewSet,
):
serializer_class = SomeModelSerializer
permission_classes = [
model_action_permission_factory(
create=['some_app.add_somemodel'],
retrieve=None, # open for all users
partial_update=['some_app.change_somemodel'],
list=None, # open for all users,
),
object_action_permission_factory(
create=None,
retrieve=None,
partial_update=[lambda obj, user: obj.status == 'SOME_STATUS' and not obj.has_something_meaningful()],
list=None,
close=None,
),
parent_object_action_permission_factory(
create=[lambda obj, user: obj.can_create_children()],
retrieve=None,
partial_update=[lambda obj, user: obj.can_update_children()],
list=None,
close=None,
),
]
queryset = SomeModel.objects.all()
The Django Wicked Historian package is licensed under the FreeBSD License.