Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/computer-lab/django-rest-framework-roles
Parameterizes Django REST Framework methods over user-defined roles
https://github.com/computer-lab/django-rest-framework-roles
django django-rest-framework roles
Last synced: 3 months ago
JSON representation
Parameterizes Django REST Framework methods over user-defined roles
- Host: GitHub
- URL: https://github.com/computer-lab/django-rest-framework-roles
- Owner: computer-lab
- License: bsd-2-clause
- Created: 2016-08-17T01:24:46.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2019-07-10T15:17:48.000Z (over 5 years ago)
- Last Synced: 2024-04-18T17:59:33.523Z (7 months ago)
- Topics: django, django-rest-framework, roles
- Language: Python
- Size: 6.84 KB
- Stars: 148
- Watchers: 7
- Forks: 17
- Open Issues: 5
-
Metadata Files:
- Readme: README.rst
- License: LICENSE
Awesome Lists containing this project
- awesome-django-rest-framework - django-rest-framework-roles - defined roles. (Packages / Authorization)
- starred-awesome - django-rest-framework-roles - Parameterizes Django REST Framework methods over user-defined roles (Python)
README
django-rest-framework-roles
===========================
Simplifies `Role Based Access Control`_ in `django-rest-framework`_.
Why would I use this?
---------------------
You have more than one type of user in your data model and you have
business logic that diverges depending on the type of user. You do not
want to organize your API by role because that is not very RESTful. You
do not want to manually type out a lot of conditional branching around
user roles.
Modeling Requirements
---------------------
- You must have one **Group** for each role
- A **User** cannot belong to more than one of the **Groups**
corresponding to each role
Installation
------------
.. code:: bash
$ pip install django-rest-framework-roles
Configuration
-------------
- ``VIEWSET_METHOD_REGISTRY`` A tuple of DRF methods to override.
Defaults to:
.. code:: python
(
"get_queryset",
"get_serializer_class",
"perform_create",
"perform_update",
"perform_destroy",
)
- ``ROLE_GROUPS`` A tuple of Group names that correspond 1-to-1 with
user roles. Defaults to:
.. code:: python
[group.name.lower() for group in Group.objects.all()]
It's recommended to define ``ROLE_GROUPS`` in ``settings`` to avoid
a database lookup on every request.
Usage
-----
Add the mixin to any ViewSet:
.. code:: python
from drf_roles.mixins import RoleViewSetMixin
class MyViewSet(RoleViewSetMixin, ModelViewSet):
# ...
For each of the methods specified in ``VIEWSET_METHOD_REGISTRY`` a
role-scoped method will be generated on your ViewSet.
Parameterizing
~~~~~~~~~~~~~~
For example, let’s say you have three groups named *Takers*, *Leavers* &
*Gods*. Let’s also say you included ``"get_queryset"`` in the
``VIEWSET_METHOD_REGISTRY``.
When a *Taker* user hits an endpont on the ViewSet, the call to
``get_queryset`` will be rerouted to a call to
``get_queryset_for_takers``.
When a *Leaver* user hits an endpont on the ViewSet, the call to
``get_queryset`` will be rerouted to a call to
``get_queryset_for_leavers``.
When a *God* user hits an endpont on the ViewSet, the call to
``get_queryset`` will be rerouted to a call to
``get_queryset_for_gods``.
You can implement each of these methods on your ViewSet to return a
different queryset for each type of user.
Not Parameterizing
~~~~~~~~~~~~~~~~~~
You can also *not* implement one or more of these methods, in which case
the default call will be executed. For example, with our same set of
groups and with ``"get_serializer_class"`` included in the role
registry, let’s say you did not implement
``get_serializer_class_for_takers``. When a *Taker* user hits an
endpoint on the ViewSet, the default implementation of
``get_serializer_class`` will be executed and return
``serializer_class``.
In this case, you would want to be sure that you have a
``serializer_class`` defined on your ViewSet! Otherwise Django REST
Framework will complain. It is a good idea to always define a default
``queryset`` and ``serializer_class`` with least privilege (e.g:
Model.objects.none()).
Roadmap
-------
- Some projects require even further parameterization. For example, you may need
to use a different `serializer_class` depending on the user's *role* **and**
the *request method*.
- There may be a more pleasant way to express the parameterization in code. For
example, it may be more pleasing to use nested classes instead of renaming the
methods.
Further Reading
---------------
- `Role-Based Access Control with Django Rest Framework`_
- `Computer Lab`_
.. _Role Based Access Control: https://en.wikipedia.org/wiki/Role-based_access_control
.. _django-rest-framework: http://www.django-rest-framework.org/
.. _Role-Based Access Control with Django Rest Framework: http://computerlab.io/2016/08/17/django-rest-framework-roles/
.. _Computer Lab: http://computerlab.io