How to apply different permission classes for different http requests

622 Views Asked by Baghdadi At 20 October 2024 at 08:13

I have a UserViewSetthat supports get, post, patch, and delete HTTP requests. I have admins with different roles, some of them can delete users, and others cannot.

I want to edit my UserViewSet to support this feature.

I tried to do something like this:

class UserViewSet(ModelViewSet):
    queryset = User.objects.all()
    http_method_names = ['get', 'post', 'patch', 'delete']

    def get_serializer_class(self):
        if self.request.method == 'PATCH':
            self.permission_classes = [CanEdit]
            return UpdateUserSerializer
        elif self.request.method == 'DELETE':
            self.permission_classes = [CanDelete]
        return UserSerializer

I am not sure if this is the best practice to do this.

Original Q&A

There are 1 best solutions below

Sami Tahri On 22 March 2022 at 09:28 BEST ANSWER

You can either change the get_permissions method, which is the general way to do that :

    def get_permission_classes(self):
    if self.action in ['retrieve', 'update', 'partial_update']:
        return [(IsAuthenticated & IsSelf) | IsAdminUser]

or use a DRF extension to be used as a general configuration view which combine serializer and permissions : https://github.com/drf-psq/drf-psq

    psq_rules = {
    ('retrieve', 'update', 'partial_update'): [
        Rule([IsAdminUser], UserFullSerializer),
        Rule([IsAuthenticated & IsSelf], UserBasicSerializer)
    ]
}

How to apply different permission classes for different http requests

There are 1 best solutions below

Related Questions in DJANGO

Related Questions in DJANGO-REST-FRAMEWORK

Related Questions in DJANGO-VIEWSETS

Trending Questions

Popular # Hahtags

Popular Questions