I have a DRF ViewSet to which I am adding the CanViewAndEditStaff permission. I want only certain users (user.access_level < 2) to be able to view the list of staff. In my Permissions class, how can I differentiate between a call to the list view and to the get item view. Here is my permissions class:
class CanViewAndEditStaff(permissions.BasePermission):
def has_permission(self, request, view):
# IF THIS IS A LIST VIEW, CHECK ACCESS LEVEL
if ( request.user.access_level < 3 ):
return True
# ELSE, CONTINUE ON TO OBJECT PERMISSIONS
def has_object_permission(self,request,view,account):
# admin can do anything
if ( request.user.access_level == 1 ):
return True
# view/edit/delete
else:
# users can view their own account
if account == request.user:
return True
elif account.access_level >= request.user.access_level:
return True
return False
class CanViewAndEditStaff(permissions.BasePermission):
def has_permission(self, request, view):
# IF THIS IS A LIST VIEW, CHECK ACCESS LEVEL
if (view.action == 'list' and request.user.access_level < 3 ):
return True
# ELSE, CONTINUE ON TO OBJECT PERMISSIONS
you can use view.action to know if this is list or something else.
This doesn't exactly address the question, but this technique is applicable.
I used a variation on Ykh's answer that allows the same permission class to be used broadly across many views which display a variety of different models.
In my view class I added an attribute to distinguish the originating view, thus allowing the appropriate object comparison to determine permissions
# views.py
class SomeView(ListAPIView):
permission_classes = (IsPermd, )
is_some_view = True
class SomeOtherView(RetrieveAPIView
permission_classes = (IsPermd, )
is_some_other_view = True
# permissions.py
class IsPermd(BasePermission):
def has_object_permissions(self, request, view, obj):
if hasattr(view, 'is_some_view'):
# whatever special considerations
if hasattr(view, 'is_some_other_view'):
# whatever other special considerations
This feels a little clunky, but until I find a better way I'll stick with it.
Related
I've set up a custom permissions class to be reused from multiple views, in an app where some users have ownership-like rights on behalf of other users:
class IsOwnerLike(permissions.BasePermission):
def has_permission(self, request, view):
if (
user_is_owner(request.user, request.data["owned_by"])
| user_is_owner_like(request.user, request.data["owned_by"])
):
return True
return False
This works as expected for one ModelViewSet.
However, for legacy reasons, different requests coming in to different views may not have an "owned_by" data element -- it may be called "owned", "owner", "created_by", etc. -- and therefore I can't reuse this custom permission as written.
What is the correct way to abstract things at the viewset, to normalize data being passed to my custom permissions class? Can this be done, or should I be thinking about handling these permissions differently?
Found a solution.
I was able to add a custom attribute to the view:
class ViewOne(ModelViewSet):
ownership_fieldname = "owned_by"
permission_classes = [IsOwnerLike]
...
class ViewTwo(ModelViewSet):
ownership_fieldname = "owner"
permission_classes = [IsOwnerLike]
...
And then access it in the permission:
class IsOwnerLike(permissions.BasePermission):
def has_permission(self, request, view):
if (
user_is_owner(request.user, request.data[view.ownership_fieldname])
| user_is_owner_like(request.user, request.data[view.ownership_fieldname])
):
return True
return False
you should use from has_object_permission for object check for model access permission like this:
def has_object_permission(self, request, view, obj):
if hasattr(obj, 'owner'):
if obj.user == request.user:
return True
return False
you can change owner with your models owner field name
and for pass owner kwargs to permission class you should write custommModelViewSet and inheritance from ModelViewSet and override get_permissions() method
My flask app centers around modifying models based on SQLAlchemy. Hence, I find flask-admin a great plugin because it maps my SQLA models to forms with views already defined with a customizable interface that is tried and tested.
I understand that Flask-admin is intended to be a plugin for administrators managing their site's data. However, I don't see why I can't use FA as a framework for my users to CRUD their data as well.
To do this, I have written the following:
class AuthorizationRequiredView(BaseView):
def get_roles(self):
raise NotImplemented("Override AuthorizationRequiredView.get_roles not set.")
def is_accessible(self):
if not is_authenticated():
return False
if not current_user.has_role(*self.get_roles()):
return False
return True
def inaccessible_callback(self, name, **kwargs):
if not is_authenticated():
return current_app.user_manager.unauthenticated_view_function()
if not current_user.has_role(*self.get_roles()):
return current_app.user_manager.unauthorized_view_function()
class InstructionModelView(DefaultModelView, AuthorizationRequiredView):
def get_roles(self):
return ["admin", "member"]
def get_query(self):
"""Jails the user to only see their instructions.
"""
base = super(InstructionModelView, self).get_query()
if current_user.has_role('admin'):
return base
else:
return base.filter(Instruction.user_id == current_user.id)
#expose('/edit/', methods=('GET', 'POST'))
def edit_view(self):
if not current_user.has_role('admin'):
instruction_id = request.args.get('id', None)
if instruction_id:
m = self.get_one(instruction_id)
if m.user_id != current_user.id:
return current_app.user_manager.unauthorized_view_function()
return super(InstructionModelView, self).edit_view()
#expose('/delete/', methods=('POST',))
def delete_view(self):
return_url = get_redirect_target() or self.get_url('.index_view')
if not self.can_delete:
return redirect(return_url)
form = self.delete_form()
if self.validate_form(form):
# id is InputRequired()
id = form.id.data
model = self.get_one(id)
if model is None:
flash(gettext('Record does not exist.'), 'error')
return redirect(return_url)
# message is flashed from within delete_model if it fails
if self.delete_model(model):
if not current_user.has_role('admin') \
and model.user_id != current_user.id:
# Denial: NOT admin AND NOT user_id match
return current_app.user_manager.unauthorized_view_function()
flash(gettext('Record was successfully deleted.'), 'success')
return redirect(return_url)
else:
flash_errors(form, message='Failed to delete record. %(error)s')
return redirect(return_url)
Note: I am using Flask-User which is built on top of Flask-Login.
The code above works. However, it is difficult to abstract as a base class for other models which I would like to implement access control for CRUD operations and Index/Edit/Detail/Delete views.
Mainly, the problems are:
the API method, is_accessible, does not provide the primary key of the model. This key is needed because in almost all cases relationships between users and entities are almost always stored via relationships or in the model table directly (i.e. having user_id in your model table).
some views, such as delete_view, do not provide the instance id that can be retrieve easily. In delete_view, I had to copy the entire function just to add one extra line to check if it belongs to the right user.
Surely someone has thought about these problems.
How should I go about rewriting this to something that is more DRY and maintainable?
Using Wagtails Modeladmin:
Is there any way to disable edit & delete options leaving only the inspect view?
A possible approach that I can think of, is extending the template, removing the edit & delete buttons and then somehow disable the edit and delete view.
Is there any cleaner approach?
EDIT: Thanks to Loic answer I could figure out.
The PermissionHelper source code was also very helpful to figure out the correct method to override.
Complete answer for only showing inspect view
class ValidationPermissionHelper(PermissionHelper):
def user_can_list(self, user):
return True
def user_can_create(self, user):
return False
def user_can_edit_obj(self, user, obj):
return False
def user_can_delete_obj(self, user, obj):
return False
class ValidationAdmin(ModelAdmin):
model = Validation
permission_helper_class = ValidationPermissionHelper
inspect_view_enabled = True
[...]
Sadly, you need at least one of the add, change or delete permission on that model (set within the roles) for it to show up.
The way around that is to provide a custom permission helper class to your ModelAdmin and always allow listing (and still allow add/change/delete to be set within the roles):
class MyPermissionHelper(wagtail.contrib.modeladmin.helpers.PermissionHelper):
def user_can_list(self, user):
return True # Or any logic related to the user.
class MyModelAdmin(wagtail.contrib.modeladmin.options.ModelAdmin):
model = MyModel
permission_helper_class = MyPermissionHelper
modeladmin_register(wagtail.contrib.modeladmin.options.MyModelAdmin)
I currently have a bunch of inlines that all inherit from a base Inline Class set up like this:
class BaseInlineAdmin(admin.TabularInline):
extra = 0
def has_delete_permission(self, request, obj=None):
return False
def has_add_permission(self, request):
return False
I now want to change my admin so that depending on the user, the inlines change like so:
class PartyAdmin(admin.ModelAdmin):
inline1 = [Inline1, Inline2]
inline2 = [Inline1, Inline2, Inline3]
def get_inline_instances(self, request, obj=None):
if request.user.is_staff:
return [inline(self.model, self.admin_site) for inline in self.inline1]
else:
return [inline(self.model, self.admin_site) for inline in self.inline2]
However, when I do this, the has_add_permission no longer works. When I don't use get_inline_instances, the user has no ability to add another item and I would like this functionality to stay consistent. Is there any reason this is not carrying over when I use this method?
For the record, has_delete_permission remains False which makes the situation even weirder.
get_inline_instances is the method that checks the permission. If you want to check for permissions, you either have to call super().get_inline_instances(), or you need to replicate the code from the original function.
Is it possible to extend a generic view to allow user authentication? I want my view to limit the number of returned results from the model if a user is not logged in.
class CustomGalleryDetailView(DetailView):
def get_queryset(self):
if request.user.is_authenticated():
return Gallery.objects.on_site().is_public()
else:
return Gallery.objects.on_site().is_public()[:5]
This returns NameError global name 'request' is not defined.
The reason I want to extend the generic view is that here I am simply overriding a single of many views used by a 3rd party app in my program, and I want to maintain some consistency with the rest of the views which mainly rely on generic views.
just change it to self.request.user.is_authenticated(), so your class will become:
class CustomGalleryDetailView(DetailView):
def get_queryset(self):
if self.request.user.is_authenticated():
return Gallery.objects.on_site().is_public()
else:
return Gallery.objects.on_site().is_public()[:5]