Custom Permission in Django REST Framework (English) - Learn about Permission in DRF

Objectives

By the end of this article, you should be able to explain:

How DRF permissions work
The similarities and differences between has_permission and has_object_permission
When to use has_permission and has_object_permission

DRF Permissions

In DRF, permissions, along with authentication and throttling, are used to grant or deny access for different classes of users to different parts of an API.

Authentication and authorization work hand in hand. Authentication is always executed before authorization.

While authentication is the process of checking a user's identity (the user the request came from, the token that it was signed with), authorization is a process of checking if the request user has the necessary permissions for executing the request (are they a super user, are they the creators of the object).

The authorization process in DRF is covered by permissions.
View Permissions

APIView has two methods that check for permissions:

check_permissions checks if the request should be permitted based on request data
check_object_permissions checks if the request should be permitted based on the combination of the request and object data

rest_framework/views.py
When the request comes in, authentication is performed. If the authentication isn't successful, a NotAuthenticated error is raised. After that, the permissions get checked in a loop, and if any of them fail, a PermissionDenied error is raised. Finally, a throttling check is performed against the request.

check_permissions is called before the view handler is executed while check_object_permissions is not executed unless you explicitly call it. For example:

class MessageSingleAPI(APIView):


With ViewSets and Generic Views, check_object_permissions is called after the object is retrieved from the database for all detail views.
Permission classes

Permissions in DRF are defined as a list of permission classes. You can either create your own or use one of the seven built-in classes. All permission classes, either custom or built-in, extend from the BasePermission class:
As you can see, BasePermission has two methods, has_permission and has_object_permission, that both return True. The permission classes override one or both of the methods to conditionally return True.

Turn back to the check_permissions and check_object_permissions methods from the beginning of the article:

check_permissions calls has_permission for each of the permissions
check_object_permissions calls has_object_permission for each of the permissions as well

has_permission

has_permission is used to decide whether a request and a user are allowed to access a specific view

For example:

Is the request method allowed?
Is the user authenticated?
Is the user an admin or super user?

has_permission possesses knowledge about the request, but not about the object of the request.

As explained at the beginning, has_permission (called by check_permissions) gets executed before the view handler is executed, without explicitly calling it.
has_object_permission

has_object_permission is used to decide whether a specific user is allowed to interact with a specific object

For example:

Who created the object?
When was it created?
In which group does the object belong to?

Besides the knowledge of the request, has_object_permission also possesses data about the object of the request. The method executes after the object is retrieved from the database.

Unlike has_permission, has_object_permission isn't always executed by default:
has_object_permission is never executed for list views (regardless of the view you're extending from) or when the request method is POST (since the object doesn't exist yet).
When any has_permission returns False, the has_object_permission doesn't get checked. The request is immediately rejected.

What's the difference between has_permission and has_object_permission in Django REST Framework?

Keywords:
Blog API with Django Rest Framework 11 of 33 - Custom Permissions
Django Rest Framework Series - Permissions and Custom Permissions - Part-2
Learn Django REST Framework #12 Using Permissions (Creating Custom Permission Classes)
How to Use Django Rest Framework Permissions - DRF Tutorial - Part 7
Adding Custom Permissions in Django Rest Framework
Django Rest Framework API #21 / Building Custom User Model
31. Write By Admin Only | Custom Permission
Custom Authentication in Django REST Framework (Hindi)
30. Permission Classes | Django Rest Framework

Hashtags:
#codeFast
#this_is_coding_zone
#code_like_pro
#being_coder
#beingCoder #django #python #djangounchained #programming #quentintarantino #coding #javascript #programmer #tarantino #leonardodicaprio #java #html #machinelearning #webdevelopment #pythonprogramming #php #css #pulpfiction #github #djan #killbill #onceuponatimeinhollywood #developer #movie #code #jamiefoxx #pythoncode #cinema #film #reservoirdogs