Return hasattr(obj, 'organization') and str(obj.organization_id) in _organization_ids Your has_object_permission function should look like this: def has_object_permission(self, request, view, obj): So you should convert the organization id to string before comparing it. Here, obj.organization_id is expected to be a string (as the user_organization_ids returns a list of strings), but Django automatically treats ForeignKey ids as integers or UUIDs (if using a UUID field). The most likely issue is this line: obj.organization_id in _organization_ids It seems like the logic in your has_object_permission is not working as intended.
#Django rest framework permission classes how to#
Return (organization_id=self.kwargs)īut this does not seem to work in my tests I can see Widgets in organizations that my user does not belong to, and no errors are returned.Īny suggestions on how to modify my DjangoModelPermission ? Permission_classes = (OrganizationPermission, IsAuthenticated) serializers import WidgetSerializerįrom import OrganizationPermissionĬlass WidgetViewSet(viewsets.ModelViewSet): Return hasattr(obj, 'organization_id') and obj.organization_id is not None and obj.organization_id in _organization_idsĪnd my views: from rest_framework import viewsetsįrom rest_framework.permissions import IsAuthenticatedįrom. I've created from rest_framework.permissions import DjangoModelPermissionsĬlass OrganizationPermission(DjangoModelPermissions):ĭef has_object_permission(self, request, view, obj): So, a user should only be able to perform CRUD operations on Widget if they are a member of the Organization. I want to restrict CRUD operations based on OrganizationMember relationships. Organization = models.ForeignKey(Organization, on_delete=models.DO_NOTHING) For example, Widget from import BaseModel There are other models in the database that will have a relationship with an Organization. User_orgs_qs = er_role.all().values_list('organization_id', flat=True) I've also got a custom user model with a property that generates a list of Organization IDs for that user from import AbstractUserĮmail = models.EmailField(max_length=254, unique=True) I have a Django app that allows a user to be a member of multiple Organizations.
0 kommentar(er)
