I ended up using the Composed Permissions package listed in the
documentation:
https://www.django-rest-framework.org/api-guide/permissions/#composed-permissions
It already has implementations for 2 of my 3 groups, and the third one was
simple to do:
class AllowOnlyAdmin(BasePermissionComponent):
def has_permission(self, permission, request, view):
if request.user.is_staff or request.user.is_superuser:
return True
return False
The rest of the code was pretty similar to the example in the docs, so I
will not reproduce it here.
On Friday, February 22, 2019 at 5:30:36 PM UTC-5, Balazs Szemes wrote:
>
> Hi,
>
> I'm trying to implement a simple authentications scheme with 3 groups:
>
> 1. no read or write access to AnonymousUser
> 2. read only for authenticated users
> 3. read and write for superusers (or staff users)
>
> This is similar to using IsAuthenticated or IsAuthenticatedOrReadOnly, but
> those are not quite right. It should be more like
> AuthenticatedReadOnlyOrNoAccess.
>
> I see the many ways permissions can be implemented at
> https://www.django-rest-framework.org/api-guide/permissions/ but not sure
> which approach would yield the "cleanest", easiest to maintain code. (I'm
> currently using ViewSet(ModelViewSet) classes to keep the views concise.)
>
> Any help would be much appreciated. Thanks.
>
> Balazs
>
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
