Api permissions
Permission classes to be used within ninja-extra controllers.
Some permissions are global (like IsInGroup or IsRoot),
and some others are per-object (like CanView or CanEdit).
Examples:
restrict all the routes of this controller¶
to subscribed users¶
@api_controller("/foo", permissions=[IsSubscriber]) class FooController(ControllerBase): @route.get("/bar") def bar_get(self): # This route inherits the permissions of the controller # ...
@route.bar("/bar/{bar_id}", permissions=[CanView])
def bar_get_one(self, bar_id: int):
# per-object permission resolution happens
# when calling either the `get_object_or_exception`
# or `get_object_or_none` method.
bar = self.get_object_or_exception(Counter, pk=bar_id)
# you can also call the `check_object_permission` manually
other_bar = Counter.objects.first()
self.check_object_permissions(other_bar)
# ...
# This route is restricted to counter admins and root users
@route.delete(
"/bar/{bar_id}",
permissions=[IsRoot | IsInGroup(settings.SITH_GROUP_COUNTER_ADMIN_ID)
]
def bar_delete(self, bar_id: int):
# ...
IsInGroup(group_pk)
¶
IsRoot
¶
Bases: BasePermission
Check that the user is root.
IsSubscriber
¶
Bases: BasePermission
Check that the user is currently subscribed.
IsOldSubscriber
¶
Bases: BasePermission
Check that the user has at least one subscription in its history.
CanView
¶
Bases: BasePermission
Check that this user has the permission to view the object of this route.
Wrap the user.can_view(obj) method.
To see an example, look at the example in the module docstring.
CanEdit
¶
Bases: BasePermission
Check that this user has the permission to edit the object of this route.
Wrap the user.can_edit(obj) method.
To see an example, look at the example in the module docstring.
IsOwner
¶
Bases: BasePermission
Check that this user owns the object of this route.
Wrap the user.is_owner(obj) method.
To see an example, look at the example in the module docstring.
IsLoggedInCounter
¶
Bases: BasePermission
Check that a user is logged in a counter.