I'm trying to figure out, what is the best way to manage model access permissions with Django.
I have a table of items which belong to the users created them. All the items a managed via a RESTful API. When using this API I want to limit access to the items created by a given user.
Do I have to create several tables or is it possible to achieve the same with just one table? If I have to use multiple tables, how do I correlate API requests with a particular table?
Ok, I found a way to do it via both API and admin. This basically resembles Rob's idea.
First of all, every time I create a new user via admin panel, I need to append a user to my items:
Then when accessing my model, I just filter by user (which is btw a foreign key to django.contrib.auth.models.User):
Finally to make it work with Django REST Framework, I need to add a couple of methods to My custom ModelViewSet:
I've used documentation and (lots) trial and error to figure this out.
You could have a
created_by
field on your objects. Then compare the djangouser
to that. It's a little difficult help further without a concrete example.Using django-rest-framework and django-rest-auth, I had to perform additional steps as described in the answer by Lucas Weyne to this question.
Here's what he suggested that worked for me.
Make sure to include the authorization token in the request:
This is key because otherwise the server doesn't know who the user is.
Add this to your viewset definition:
This is important if the query is user dependent.
if you want generic object-level permissions then you can use a permission backend like django-guardian, here is examples for integrating with django-restframework