Django Rest Framework - best way to an endpoint?

Question

I'm learning Django + DRF + React and I reached the phase where it's time to protect some endpoints. Some are easier to protect, just a permission so only the user which created a particular object (and the admins) are able to see it. There is one endpoint which is tricky for me. It's a GET call and returns something like:

{book: "Who am I and how come",
 id: "whatever31",
 reading: ["user1", "user2"]}

I want to protect this endpoint based on the user making the request (Session auth) so only calls coming from user1 and user2 can access this object (also, not exposing reading field, but that's probably a different discussion). Should I use a custom permission on DRF view? Should I use a filter instead in queryset method? Maybe both?

Have you looked into creating an decorator on the controller? Sounds like this would be the place for it. http://stackoverflow.com/questions/5469159/how-to-write-a-custom-decorator-in-django — KVISH, Sep 05 '16 at 19:26

score 1 · Accepted Answer · edited Sep 07 '16 at 18:23

1

Custom permission just like creating an decorator, both of them match what you need:

class InReader(permissions.IsAuthenticated):
    def has_object_permission(self, request, view, obj):
        return request.user in obj.reading

edited Sep 07 '16 at 18:23

vicusbass

1,714
2
19
33

answered Sep 06 '16 at 01:43

Windsooon

6,864
4
31
50

And when getting these objects as list, I suppose only the one matching the permission will be returned? – vicusbass Sep 06 '16 at 08:19
This just return true or false to tell the request.user in obj.reading list or not. – Windsooon Sep 06 '16 at 09:08

Django Rest Framework - best way to an endpoint?

1 Answers1