Aller au contenu

Api permissions

Permission classes to be used within ninja-extra controllers.

Some permissions are global (like IsInGroup or IsRoot), and some others are per-object (like CanView or CanEdit).

Examples:

restrict all the routes of this controller

to subscribed users

@api_controller("/foo", permissions=[IsSubscriber]) class FooController(ControllerBase): @route.get("/bar") def bar_get(self): # This route inherits the permissions of the controller # ...

@route.bar("/bar/{bar_id}", permissions=[CanView])
def bar_get_one(self, bar_id: int):
    # per-object permission resolution happens
    # when calling either the `get_object_or_exception`
    # or `get_object_or_none` method.
    bar = self.get_object_or_exception(Counter, pk=bar_id)

    # you can also call the `check_object_permission` manually
    other_bar = Counter.objects.first()
    self.check_object_permissions(other_bar)

    # ...

# This route is restricted to counter admins and root users
@route.delete(
    "/bar/{bar_id}",
    permissions=[IsRoot | IsInGroup(settings.SITH_GROUP_COUNTER_ADMIN_ID)
]
def bar_delete(self, bar_id: int):
    # ...

CanAccessLookup = IsOldSubscriber | IsRoot | IsLoggedInCounter module-attribute

IsInGroup(group_pk)

Bases: BasePermission

Check that the user is in the group whose primary key is given.

Source code in core/api_permissions.py 
50
51
def __init__(self, group_pk: int):
    self._group_pk = group_pk

IsRoot

Bases: BasePermission

Check that the user is root.

IsSubscriber

Bases: BasePermission

Check that the user is currently subscribed.

IsOldSubscriber

Bases: BasePermission

Check that the user has at least one subscription in its history.

CanView

Bases: BasePermission

Check that this user has the permission to view the object of this route.

Wrap the user.can_view(obj) method. To see an example, look at the example in the module docstring.

CanEdit

Bases: BasePermission

Check that this user has the permission to edit the object of this route.

Wrap the user.can_edit(obj) method. To see an example, look at the example in the module docstring.

IsOwner

Bases: BasePermission

Check that this user owns the object of this route.

Wrap the user.is_owner(obj) method. To see an example, look at the example in the module docstring.

IsLoggedInCounter

Bases: BasePermission

Check that a user is logged in a counter.