Permissions and authorization
DRF Permission classes
- class vng_api_common.permissions.AuthScopesRequired
- class vng_api_common.permissions.BaseAuthRequired
Perform a permission check based on required scopes.
An
APIView
orrest_framework.viewsets.ViewSet
needs to define therequired_scopes
attribute, mappingaction
to which scope is required. ForAPIView
you can specify which HTTP method they apply to. Viewset example:>>> class SomeViewSet(viewsets.ModelViewSet): ... queryset = Some.objects.all() ... permission_classes = (MainObjAuthScopesRequired,) ... required_scopes = { ... "retrieve": Scope("some.scope"), ... "list": Scope("some.scope"), ... "create": Scope("some.scope"), ... "update": Scope("some.scope"), ... "partial_update": Scope("some.scope"), ... "destroy": Scope("some.scope"), ... }
Or for APIView:
>>> class SomeView(APIView): ... permission_classes = (BaseAuthRequiredSubclass,) ... required_scopes = {"get": Scope("some.scope")} ... ... def get(self, request): ... ...
Note that you need a subclass setting
get_obj
or implementing_get_object()
.- has_object_permission(request: Request, view, obj) → bool
Return True if permission is granted, False otherwise.
- has_permission(request: Request, view) → bool
Return True if permission is granted, False otherwise.
- class vng_api_common.permissions.ClientIdRequired
Look at the client_id of an object and check that it equals client_id in the JWT
- has_object_permission(request: Request, view, obj) → bool
Return True if permission is granted, False otherwise.
- class vng_api_common.permissions.MainObjAuthScopesRequired
Perform permission checks based on the main resource of the endpoint.
- class vng_api_common.permissions.RelatedObjAuthScopesRequired
Perform permission checks based on an object related to the endpoint resource.
- vng_api_common.permissions.bypass_permissions(request: Request) → bool
Bypass permission checks in DEBUG when using the browsable API renderer
- vng_api_common.permissions.permission_class_factory(base=<class 'vng_api_common.permissions.BaseAuthRequired'>, **attrs) → type
Build a view-specific permission class
This is just a small wrapper around
type
intended to keep the code readable.
Scopes
Define scopes to manage authorizations on API resources.
Scope objects hold their own definition and documentation. Public scopes get added to the scope registry, which can be introspected for automatic documentation.
- class vng_api_common.scopes.Scope(label: str, description: Optional[str] = None, private: bool = False)
Define a single scope object.
A scope is characterized by a label, whereas the actual permissions related to it are implemented in the view(set)s. Scopes can be OR-ed together:
>>> Scope("foo") | Scope("bar") Scope("foo | bar")
this is interpreted as: you have permission if you have one of either scopes in your authorization configuration.
- Parameters:
label – A label identifying the scope. Labels must be unique.
description – An optional description of what the scope allows/means.
private – Private scopes are not added to the registry.
- is_contained_in(scope_set: List[str]) → bool
Test if the flat
scope_set
encapsulate this scope.