encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-08-02 19:40:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge a1dfabb21c into fe4c7d4000

Browse Source
This commit is contained in:
Karl Ranna 2013-12-03 05:10:43 -08:00
commit 1221b93911
3 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/api-guide/permissions.md
View File

@ -106,6 +106,12 @@ The `IsAuthenticatedOrReadOnly` will allow authenticated users to perform any re
This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users. This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users.
## IsAdminOrReadOnly
The `IsAdminOrReadOnly` will allow superusers to perform any request. Requests for everyone else will only be permitted if the request method is one of the "safe" methods; `GET`, `HEAD` or `OPTIONS`.
This permission is suitable if you want to your API to allow read permissions to everyone, and only allow write permissions to administrators.
## DjangoModelPermissions ## DjangoModelPermissions
This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned.

4
docs/api-guide/viewsets.md
View File

@ -178,7 +178,7 @@ Because `ModelViewSet` extends `GenericAPIView`, you'll normally need to provide
""" """
queryset = Account.objects.all() queryset = Account.objects.all()
serializer_class = AccountSerializer serializer_class = AccountSerializer
permission_classes = [IsAccountAdminOrReadOnly] permission_classes = [IsAdminOrReadOnly]
Note that you can use any of the standard attributes or method overrides provided by `GenericAPIView`. For example, to use a `ViewSet` that dynamically determines the queryset it should operate on, you might do something like this: Note that you can use any of the standard attributes or method overrides provided by `GenericAPIView`. For example, to use a `ViewSet` that dynamically determines the queryset it should operate on, you might do something like this:
@ -188,7 +188,7 @@ Note that you can use any of the standard attributes or method overrides provide
associated with the user. associated with the user.
""" """
serializer_class = AccountSerializer serializer_class = AccountSerializer
permission_classes = [IsAccountAdminOrReadOnly] permission_classes = [IsAdminOrReadOnly]
def get_queryset(self): def get_queryset(self):
return self.request.user.accounts.all() return self.request.user.accounts.all()

17
rest_framework/permissions.py
View File

@ -77,8 +77,21 @@ class IsAuthenticatedOrReadOnly(BasePermission):
def has_permission(self, request, view): def has_permission(self, request, view):
if (request.method in SAFE_METHODS or if (request.method in SAFE_METHODS or
request.user and request.user and
request.user.is_authenticated()): request.user.is_authenticated()):
return True
return False
class IsAdminOrReadOnly(BasePermission):
"""
The request is authenticated as an admin, or is a read-only request.
"""
def has_permission(self, request, view):
if (request.method in SAFE_METHODS or
request.user and
request.user.is_staff):
return True return True
return False return False