Problems with Django rest-framework DjangoModelPermissions allowing any authenticated user

Question

I am trying to use DjangoModelPermissions and it does not seem to work properly.

This is the code:

class TestViewSet(viewsets.ModelViewSet):
    model = Test
    serializer_class = serializers.TestSerializer
    permission_classes = (permissions.DjangoModelPermissions,)

    def create(self, request):
        response_data = {}
        response_data['type'] = 'error'
        data=json.loads(request.raw_post_data)

        test = Test.objects.create(name=data['name'],\
                                            description=data['description'],\
                                            start_date=data['start_date'],\
                                            end_date=data['end_date'])          

        #save changes
        test.save()
        return Response({'status': 'ok', "result": test.id})

I don't think it makes any difference in this case but I am using django_mongodb_engine.

I have a user that has no permissions, and it is able to create Test instances. On the other hand, how can I block also GET so just users with the right permissions can perform that action?

Thanks

Do you have something like django-guardian or some other backend installed?? — timop, Sep 03 '14 at 04:44
No, django-rest-framework should be taking care of the security for the API — Fabiot, Sep 03 '14 at 09:40
After 4 years I have the same problem :) does anybody find the solution? — ajafari, May 23 '19 at 07:56

score 1 · Answer 1 · answered Jul 19 '21 at 12:32

The reason for DjangoModelPermissions is not working here is clearly explained in the DRF docs

"This permission must only be applied to views that have a .queryset property or get_queryset() method."

Check the docs here

The solution is:

Add queryset to your model

class TestViewSet(viewsets.ModelViewSet):
   serializer_class = serializers.TestSerializer
   permission_classes = (permissions.DjangoModelPermissions,)
   queryset = Test.objects.all()

or if you want to override the default queryset method use this method as you like

 def get_queryset(self):
    return super().get_queryset()

Also, I noticed you don't have to specify the model in your ModelViewSet. If you specify your Test model in TestSerializer you only have to specify the serializer in ModelViewSet that's how DRF works

score 0 · Answer 2 · answered Oct 29 '18 at 17:55

My problem was the same. The user could create new instance in the database despite of the permission class. I looked into the django-guardian and found that this back-end should be default:

AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
)

So I added it in my settings.py file and now it works and a user without a permission cannot create new instance. I hope it helps.

score -2 · Answer 3 · answered Sep 03 '14 at 12:00

-2

You need to have django-guardian with DRF for DjangoModelPermissions to work correctly. It's also mentioned in the original docs http://www.django-rest-framework.org/api-guide/permissions under the DjangoModelPermissions paragraph

If it still doesn't work as it should then let us know

answered Sep 03 '14 at 12:00

timop

842
6
7

7

The documentation indicates the django-guardian is mentioned under the DjangoObjectPermissions section, not DjangoModelPermissions. In @Fabiot's question he is using the latter (as am I). Is guardian required for both? – Dave Novelli Feb 27 '15 at 06:47

Problems with Django rest-framework DjangoModelPermissions allowing any authenticated user

3 Answers3