From a1dfabb21ce735cf3941501fcafe5f226882d27c Mon Sep 17 00:00:00 2001 From: erkarl Date: Tue, 3 Dec 2013 15:04:10 +0200 Subject: [PATCH] IsAdminOrReadOnly permission. --- docs/api-guide/permissions.md | 6 ++++++ docs/api-guide/viewsets.md | 4 ++-- rest_framework/permissions.py | 17 +++++++++++++++-- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index 871de84ec..88edf6a5f 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -106,6 +106,12 @@ The `IsAuthenticatedOrReadOnly` will allow authenticated users to perform any re This permission is suitable if you want to your API to allow read permissions to anonymous users, and only allow write permissions to authenticated users. +## IsAdminOrReadOnly + +The `IsAdminOrReadOnly` will allow superusers to perform any request. Requests for everyone else will only be permitted if the request method is one of the "safe" methods; `GET`, `HEAD` or `OPTIONS`. + +This permission is suitable if you want to your API to allow read permissions to everyone, and only allow write permissions to administrators. + ## DjangoModelPermissions This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user *is authenticated* and has the *relevant model permissions* assigned. diff --git a/docs/api-guide/viewsets.md b/docs/api-guide/viewsets.md index 1062cb32c..811e0f717 100644 --- a/docs/api-guide/viewsets.md +++ b/docs/api-guide/viewsets.md @@ -178,7 +178,7 @@ Because `ModelViewSet` extends `GenericAPIView`, you'll normally need to provide """ queryset = Account.objects.all() serializer_class = AccountSerializer - permission_classes = [IsAccountAdminOrReadOnly] + permission_classes = [IsAdminOrReadOnly] Note that you can use any of the standard attributes or method overrides provided by `GenericAPIView`. For example, to use a `ViewSet` that dynamically determines the queryset it should operate on, you might do something like this: @@ -188,7 +188,7 @@ Note that you can use any of the standard attributes or method overrides provide associated with the user. """ serializer_class = AccountSerializer - permission_classes = [IsAccountAdminOrReadOnly] + permission_classes = [IsAdminOrReadOnly] def get_queryset(self): return self.request.user.accounts.all() diff --git a/rest_framework/permissions.py b/rest_framework/permissions.py index ab6655e7b..f1d7bfe87 100644 --- a/rest_framework/permissions.py +++ b/rest_framework/permissions.py @@ -77,8 +77,21 @@ class IsAuthenticatedOrReadOnly(BasePermission): def has_permission(self, request, view): if (request.method in SAFE_METHODS or - request.user and - request.user.is_authenticated()): + request.user and + request.user.is_authenticated()): + return True + return False + + +class IsAdminOrReadOnly(BasePermission): + """ + The request is authenticated as an admin, or is a read-only request. + """ + + def has_permission(self, request, view): + if (request.method in SAFE_METHODS or + request.user and + request.user.is_staff): return True return False