2012-09-02 00:24:33 +04:00
<!DOCTYPE html>
< html lang = "en" > < head > < meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" >
< title > Django REST framework< / title >
2012-10-05 18:26:53 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/img/favicon.ico" rel = "icon" type = "image/x-icon" >
2012-09-02 00:24:33 +04:00
< meta name = "viewport" content = "width=device-width, initial-scale=1.0" >
< meta name = "description" content = "" >
< meta name = "author" content = "" >
<!-- Le styles -->
2012-09-08 23:24:07 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/prettify.css" rel = "stylesheet" >
2012-09-02 00:37:41 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/bootstrap.css" rel = "stylesheet" >
< link href = "http://tomchristie.github.com/django-rest-framework/css/bootstrap-responsive.css" rel = "stylesheet" >
2012-09-13 12:40:09 +04:00
< link href = "http://tomchristie.github.com/django-rest-framework/css/default.css" rel = "stylesheet" >
2012-09-02 00:24:33 +04:00
<!-- Le HTML5 shim, for IE6 - 8 support of HTML5 elements -->
<!-- [if lt IE 9]>
< script src = "http://html5shim.googlecode.com/svn/trunk/html5.js" > < / script >
<![endif]-->
2012-10-01 19:27:59 +04:00
< body onload = "prettyPrint()" class = "permissions-page" >
2012-09-02 00:24:33 +04:00
2012-10-05 22:27:27 +04:00
< div class = "wrapper" >
2012-09-02 00:24:33 +04:00
< div class = "navbar navbar-inverse navbar-fixed-top" >
< div class = "navbar-inner" >
< div class = "container-fluid" >
2012-09-12 16:12:00 +04:00
< a class = "repo-link btn btn-primary btn-small" href = "https://github.com/tomchristie/django-rest-framework/tree/restframework2" > GitHub< / a >
2012-09-02 00:24:33 +04:00
< a class = "btn btn-navbar" data-toggle = "collapse" data-target = ".nav-collapse" >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< / a >
2012-09-02 00:37:41 +04:00
< a class = "brand" href = "http://tomchristie.github.com/django-rest-framework" > Django REST framework< / a >
2012-09-02 00:24:33 +04:00
< div class = "nav-collapse collapse" >
< ul class = "nav" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework" > Home< / a > < / li >
2012-09-02 00:24:33 +04:00
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Tutorial < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-10-09 15:01:56 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/quickstart" > Quickstart< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/1-serialization" > 1 - Serialization< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/2-requests-and-responses" > 2 - Requests and responses< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/3-class-based-views" > 3 - Class based views< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/4-authentication-permissions-and-throttling" > 4 - Authentication, permissions and throttling< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/tutorial/5-relationships-and-hyperlinked-apis" > 5 - Relationships and hyperlinked APIs< / a > < / li >
2012-10-10 12:36:47 +04:00
<!-- <li><a href="http://tomchristie.github.com/django - rest - framework/tutorial/6 - resource - orientated - projects">6 - Resource orientated projects</a></li> -->
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > API Guide < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/requests" > Requests< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/responses" > Responses< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/views" > Views< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/generic-views" > Generic views< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/parsers" > Parsers< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/renderers" > Renderers< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/serializers" > Serializers< / a > < / li >
2012-10-05 20:10:33 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/fields" > Serializer fields< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/authentication" > Authentication< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/permissions" > Permissions< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/throttling" > Throttling< / a > < / li >
2012-10-01 19:27:59 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/pagination" > Pagination< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/content-negotiation" > Content negotiation< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/format-suffixes" > Format suffixes< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/reverse" > Returning URLs< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/exceptions" > Exceptions< / a > < / li >
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/status-codes" > Status codes< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/api-guide/settings" > Settings< / a > < / li >
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Topics < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/csrf" > Working with AJAX and CSRF< / a > < / li >
2012-10-13 18:09:05 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/browser-enhancements" > Browser enhancements< / a > < / li >
2012-10-13 18:35:46 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/browsable-api" > The Browsable API< / a > < / li >
2012-10-08 15:19:26 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/rest-hypermedia-hateoas" > REST, Hypermedia & HATEOAS< / a > < / li >
2012-09-05 16:05:36 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/contributing" > Contributing to REST framework< / a > < / li >
2012-10-08 15:19:26 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/migration" > 2.0 Migration Guide< / a > < / li >
2012-10-17 16:50:08 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/release-notes" > Release Notes< / a > < / li >
2012-09-02 00:37:41 +04:00
< li > < a href = "http://tomchristie.github.com/django-rest-framework/topics/credits" > Credits< / a > < / li >
2012-09-02 00:24:33 +04:00
< / ul >
< / li >
< / ul >
< ul class = "nav pull-right" >
2012-10-09 17:13:19 +04:00
<!-- TODO
2012-09-08 11:03:30 +04:00
< li class = "dropdown" >
< a href = "#" class = "dropdown-toggle" data-toggle = "dropdown" > Version: 2.0.0 < b class = "caret" > < / b > < / a >
< ul class = "dropdown-menu" >
< li > < a href = "#" > Trunk< / a > < / li >
< li > < a href = "#" > 2.0.0< / a > < / li >
< / ul >
< / li >
2012-10-09 17:13:19 +04:00
-->
2012-09-08 11:03:30 +04:00
< / ul >
2012-09-02 00:24:33 +04:00
< / div > <!-- /.nav - collapse -->
< / div >
< / div >
< / div >
2012-10-05 22:27:27 +04:00
< div class = "body-content" >
< div class = "container-fluid" >
< div class = "row-fluid" >
2012-10-05 16:22:18 +04:00
2012-10-05 22:27:27 +04:00
< div class = "span3" >
2012-10-08 15:19:26 +04:00
<!-- TODO
< p style = "margin-top: -12px" >
< a class = "btn btn-mini btn-primary" style = "width: 60px" > « previous< / a >
< a class = "btn btn-mini btn-primary" style = "float: right; margin-right: 8px; width: 60px;" > next » < / a >
< / p >
-->
2012-10-05 22:27:27 +04:00
< div id = "table-of-contents" >
< ul class = "nav nav-list side-nav well sidebar-nav-fixed" >
< li class = "main" > < a href = "#permissions" > Permissions< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "#how-permissions-are-determined" > How permissions are determined< / a > < / li >
< li > < a href = "#object-level-permissions" > Object level permissions< / a > < / li >
< li > < a href = "#setting-the-permission-policy" > Setting the permission policy< / a > < / li >
2012-10-17 16:50:08 +04:00
< li class = "main" > < a href = "#api-reference" > API Reference< / a > < / li >
2012-09-12 13:14:01 +04:00
< li > < a href = "#isauthenticated" > IsAuthenticated< / a > < / li >
< li > < a href = "#isadminuser" > IsAdminUser< / a > < / li >
< li > < a href = "#isauthenticatedorreadonly" > IsAuthenticatedOrReadOnly< / a > < / li >
< li > < a href = "#djangomodelpermissions" > DjangoModelPermissions< / a > < / li >
2012-10-17 16:50:08 +04:00
< li class = "main" > < a href = "#custom-permissions" > Custom permissions< / a > < / li >
2012-09-09 01:06:49 +04:00
2012-10-05 22:27:27 +04:00
< / ul >
< / div >
2012-09-08 11:03:30 +04:00
< / div >
2012-09-02 00:24:33 +04:00
2012-10-05 22:27:27 +04:00
< div id = "main-content" class = "span9" >
< p > < a class = "github" href = "https://github.com/tomchristie/django-rest-framework/blob/restframework2/rest_framework/permissions.py" > < span class = "label label-info" > permissions.py< / span > < / a > < / p >
2012-09-09 01:06:49 +04:00
< h1 id = "permissions" > Permissions< / h1 >
2012-09-12 13:14:01 +04:00
< blockquote >
< p > Authentication or identification by itself is not usually sufficient to gain access to information or code. For that, the entity requesting access must have authorization.< / p >
< p > — < a href = "https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html" > Apple Developer Documentation< / a > < / p >
< / blockquote >
< p > Together with < a href = "authentication" > authentication< / a > and < a href = "throttling" > throttling< / a > , permissions determine wheter a request should be granted or denied access.< / p >
< p > Permission checks are always run at the very start of the view, before any other code is allowed to proceed. Permission checks will typically use the authentication information in the < code > request.user< / code > and < code > request.auth< / code > properties to determine if the incoming request should be permitted.< / p >
< h2 id = "how-permissions-are-determined" > How permissions are determined< / h2 >
2012-09-13 12:40:09 +04:00
< p > Permissions in REST framework are always defined as a list of permission classes.< br / >
< / p >
< p > Before running the main body of the view each permission in the list is checked.
If any permission check fails an < code > exceptions.PermissionDenied< / code > exception will be raised, and the main body of the view will not run.< / p >
2012-09-12 13:14:01 +04:00
< h2 id = "object-level-permissions" > Object level permissions< / h2 >
< p > REST framework permissions also support object-level permissioning. Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.< / p >
< p > Object level permissions are run by REST framework's generic views when < code > .get_object()< / code > is called. As with view level permissions, an < code > exceptions.PermissionDenied< / code > exception will be raised if the user is not allowed to act on the given object.< / p >
< h2 id = "setting-the-permission-policy" > Setting the permission policy< / h2 >
< p > The default permission policy may be set globally, using the < code > DEFAULT_PERMISSIONS< / code > setting. For example.< / p >
2012-09-20 16:07:16 +04:00
< pre class = "prettyprint lang-py" > < code > REST_FRAMEWORK = {
2012-09-12 13:14:01 +04:00
'DEFAULT_PERMISSIONS': (
2012-09-20 16:07:16 +04:00
'rest_framework.permissions.IsAuthenticated',
2012-09-12 13:14:01 +04:00
)
}
< / code > < / pre >
< p > You can also set the authentication policy on a per-view basis, using the < code > APIView< / code > class based views.< / p >
< pre class = "prettyprint lang-py" > < code > class ExampleView(APIView):
permission_classes = (IsAuthenticated,)
def get(self, request, format=None):
content = {
'status': 'request was permitted'
}
return Response(content)
< / code > < / pre >
< p > Or, if you're using the < code > @api_view< / code > decorator with function based views.< / p >
< pre class = "prettyprint lang-py" > < code > @api_view('GET')
@permission_classes(IsAuthenticated)
def example_view(request, format=None):
content = {
'status': 'request was permitted'
}
return Response(content)
< / code > < / pre >
2012-10-17 16:50:08 +04:00
< h1 id = "api-reference" > API Reference< / h1 >
2012-09-12 13:14:01 +04:00
< h2 id = "isauthenticated" > IsAuthenticated< / h2 >
< p > The < code > IsAuthenticated< / code > permission class will deny permission to any unauthenticated user, and allow permission otherwise.< / p >
< p > This permission is suitable if you want your API to only be accessible to registered users.< / p >
< h2 id = "isadminuser" > IsAdminUser< / h2 >
< p > The < code > IsAdminUser< / code > permission class will deny permission to any user, unless < code > user.is_staff< / code > is < code > True< / code > in which case permission will be allowed.< / p >
< p > This permission is suitable is you want your API to only be accessible to a subset of trusted administrators.< / p >
< h2 id = "isauthenticatedorreadonly" > IsAuthenticatedOrReadOnly< / h2 >
< p > The < code > IsAuthenticatedOrReadOnly< / code > will allow authenticated users to perform any request. Requests for unauthorised users will only be permitted if the request method is one of the "safe" methods; < code > GET< / code > , < code > HEAD< / code > or < code > OPTIONS< / code > .< / p >
< p > This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.< / p >
< h2 id = "djangomodelpermissions" > DjangoModelPermissions< / h2 >
2012-09-12 16:12:00 +04:00
< p > This permission class ties into Django's standard < code > django.contrib.auth< / code > < a href = "https://docs.djangoproject.com/en/1.0/topics/auth/#permissions" > model permissions< / a > . When applied to a view that has a < code > .model< / code > property, authorization will only be granted if the user has the relevant model permissions assigned.< / p >
< ul >
< li > < code > POST< / code > requests require the user to have the < code > add< / code > permission on the model.< / li >
< li > < code > PUT< / code > and < code > PATCH< / code > requests require the user to have the < code > change< / code > permission on the model.< / li >
< li > < code > DELETE< / code > requests require the user to have the < code > delete< / code > permission on the model.< / li >
< / ul >
< p > The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a < code > view< / code > model permission for < code > GET< / code > requests.< / p >
< p > To use custom model permissions, override < code > DjangoModelPermissions< / code > and set the < code > .perms_map< / code > property. Refer to the source code for details.< / p >
2012-09-13 12:40:09 +04:00
< p > The < code > DjangoModelPermissions< / code > class also supports object-level permissions. Third-party authorization backends such as < a href = "https://github.com/lukaszb/django-guardian" > django-guardian< / a > that provide object-level permissions should work just fine with < code > DjangoModelPermissions< / code > without any custom configuration required.< / p >
2012-10-17 16:50:08 +04:00
< h1 id = "custom-permissions" > Custom permissions< / h1 >
2012-10-13 18:09:05 +04:00
< p > To implement a custom permission, override < code > BasePermission< / code > and implement the < code > .has_permission(self, request, view, obj=None)< / code > method.< / p >
2012-09-12 13:14:01 +04:00
< p > The method should return < code > True< / code > if the request should be granted access, and < code > False< / code > otherwise.< / p >
2012-10-05 22:27:27 +04:00
< / div > <!-- /span -->
< / div > <!-- /row -->
< / div > <!-- /.fluid - container -->
< / div > <!-- /.body content -->
2012-09-02 00:24:33 +04:00
2012-10-05 18:26:53 +04:00
< div id = "push" > < / div >
2012-10-05 22:27:27 +04:00
< / div > <!-- /.wrapper -->
2012-10-05 18:26:53 +04:00
2012-10-05 22:27:27 +04:00
< footer class = "span12" >
2012-10-05 22:33:52 +04:00
< p > Sponsored by < a href = "http://dabapps.com/" > DabApps< / a > .< / a > < / p >
2012-10-05 22:27:27 +04:00
< / footer >
2012-10-05 18:26:53 +04:00
2012-09-02 00:24:33 +04:00
<!-- Le javascript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
2012-09-08 11:03:30 +04:00
< script src = "http://tomchristie.github.com/django-rest-framework/js/jquery-1.8.1-min.js" > < / script >
2012-10-05 16:22:18 +04:00
< script src = "http://tomchristie.github.com/django-rest-framework/js/prettify-1.0.js" > < / script >
< script src = "http://tomchristie.github.com/django-rest-framework/js/bootstrap-2.1.1-min.js" > < / script >
2012-09-02 00:24:33 +04:00
< script >
2012-09-08 11:03:30 +04:00
//$('.side-nav').scrollspy()
var shiftWindow = function() { scrollBy(0, -50) };
if (location.hash) shiftWindow();
window.addEventListener("hashchange", shiftWindow);
2012-09-12 13:14:01 +04:00
2012-09-17 23:21:26 +04:00
$('.dropdown-menu').on('click touchstart', function(event) {
2012-09-12 13:14:01 +04:00
event.stopPropagation();
});
2012-09-02 00:24:33 +04:00
< / script >
2012-10-01 19:27:59 +04:00
< / body > < / html >