Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to alter ObjectPermissionsFilter #13

Open
jjrugui opened this issue Apr 3, 2020 · 2 comments
Open

Document how to alter ObjectPermissionsFilter #13

jjrugui opened this issue Apr 3, 2020 · 2 comments

Comments

@jjrugui
Copy link

jjrugui commented Apr 3, 2020

I'm having a bit of trouble following the documentation. I have a question regarding how to deal with the permissions using django-rest-framework-guardian. I followed the example in which I add the mixing and change the serializer filter backend and permissions class as stated.

My problem is, once I enable the backend and class for filter and permissions I don't have permissions for listing an endpoint unless I assign view permission explicitely under django admin. Do you need to assign to users all the default django permissions (add_model, view_model, etc) to a user in order to allow django guardian to deal with the object permissions?

It's a bit of a confusing question but I'm unsure from the documentation how the permissions are dealt with from a view perspective and an object perspective.
@rpkilby
Copy link
Owner

rpkilby commented Apr 4, 2020
edited
Loading

Do you need to assign to users all the default django permissions (add_model, view_model, etc) to a user in order to allow django guardian to deal with the object permissions?

For context, the permissions filter is basically just a wrapper around django-guardian's get_objects_for_user shortcut, and by default the global/model permissions are disabled, so users would need to have per-object permissions assigned to them.

django-rest-framework-guardian/src/rest_framework_guardian/filters.py

Lines 12 to 14 in c38a3b5

shortcut_kwargs = {
'accept_global_perms': False,
}

That said, you can customize the arguments passed to the shortcut by modifying ObjectPermissionsFilter.shortcut_kwargs, allowing you to use whatever behavior you want. e.g., you can accept global perms, or check the user's groups for object perms, etc...

Does that make sense?

edit: I'm asking if that makes sense because I don't actually use django-guardian and don't know if I explained it clearly. If I'm being completely honest, I made this package so that we could move the django-guardian integration out of DRF itself.

@rpkilby rpkilby changed the title [Question] View permissions vs object permissions Document how to alter ObjectPermissionsFilter's behavior Apr 4, 2020
@rpkilby rpkilby changed the title Document how to alter ObjectPermissionsFilter's behavior Document how to alter ObjectPermissionsFilter Apr 4, 2020
@jjrugui
Copy link
Author

jjrugui commented Apr 6, 2020

Yeah, I think it makes sense. I'm pretty new to Django and more specifically django-guardian though. I get that in order to get objects from get_objects_for_user those objects need to have appropiate permissions assigned but what would be the recommended way to deal with it when there are no objects (and thus no permissions at object level assigned) but they should be created through the API? I guess this should be done through the accept_global_perms?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rpkilby @jjrugui