Django Rest Framework Series - Permissions and Custom Permissions - What is Permission In DRF

Permissions in Django REST Framework:
This article looks at how permissions work in Django REST Framework (DRF).

--

Django REST Framework Permissions Series:

Permissions in Django REST Framework (this article!)
Built-in Permission Classes in Django REST Framework
Custom Permission Classes in Django REST Framework

Objectives

By the end of this article, you should be able to explain:

How DRF permissions work
The similarities and differences between has_permission and has_object_permission
When to use has_permission and has_object_permission

DRF Permissions

In DRF, permissions, along with authentication and throttling, are used to grant or deny access for different classes of users to different parts of an API.

Authentication and authorization work hand in hand. Authentication is always executed before authorization.

While authentication is the process of checking a user's identity (the user the request came from, the token that it was signed with), authorization is a process of checking if the request user has the necessary permissions for executing the request (are they a super user, are they the creators of the object).

The authorization process in DRF is covered by permissions.
View Permissions

APIView has two methods that check for permissions:

check_permissions checks if the request should be permitted based on request data
check_object_permissions checks if the request should be permitted based on the combination of the request and object data

As you can see, BasePermission has two methods, has_permission and has_object_permission, that both return True. The permission classes override one or both of the methods to conditionally return True.

Turn back to the check_permissions and check_object_permissions methods from the beginning of the article:

check_permissions calls has_permission for each of the permissions
check_object_permissions calls has_object_permission for each of the permissions as well

has_permission

has_permission is used to decide whether a request and a user are allowed to access a specific view

For example:

Is the request method allowed?
Is the user authenticated?
Is the user an admin or super user?

has_permission possesses knowledge about the request, but not about the object of the request.

As explained at the beginning, has_permission (called by check_permissions) gets executed before the view handler is executed, without explicitly calling it.
has_object_permission

has_object_permission is used to decide whether a specific user is allowed to interact with a specific object

For example:

Who created the object?
When was it created?
In which group does the object belong to?

Besides the knowledge of the request, has_object_permission also possesses data about the object of the request. The method executes after the object is retrieved from the database.

Unlike has_permission, has_object_permission isn't always executed by default:

With an APIView, you must explicitly call check_object_permission to execute has_object_permission for all permission classes.
With ViewSets (like ModelViewSet) or Generic Views (like RetrieveAPIView), has_object_permission is executed via check_object_permission inside a get_object method out of the box.
has_object_permission is never executed for list views (regardless of the view you're extending from) or when the request method is POST (since the object doesn't exist yet).
When any has_permission returns False, the has_object_permission doesn't get checked. The request is immediately rejected.

has_permission vs has_object_permission

What's the difference between has_permission and has_object_permission in Django REST Framework?

Keywords:
30. Permission Classes | Django Rest Framework
Introduction to Django Rest Framework
Part 06 Django Rest Framework for Beginners in Urdu/Hindi: How to Use Authentication and Permissions
Django REST Framework (Hindi)
Custom Permission in Django REST Framework (Hindi)
Django REST Framework Tutorial | Authentication And Permissions
Basic Authentication and Permission Class in Django REST Framework (Hindi)
Use Permission in django rest framework || django rest framework tutorial
Django REST Framework Oversimplified
Django rest framework | Django rest framework tutorial | [ Django Rest framework ]

Hashtags:
#codeFast
#this_is_coding_zone
#code_like_pro
#being_coder
#beingCoder #django #python #djangounchained #programming #quentintarantino #coding #javascript #programmer #tarantino #leonardodicaprio #java #html #machinelearning #webdevelopment #pythonprogramming #php #css #pulpfiction #github #djan #killbill #onceuponatimeinhollywood #developer #movie #code #jamiefoxx #pythoncode #cinema #film #reservoirdogs