Re: DRF Tutorial Object Level Permissions

2018-01-09 Thread Xavier Ordoquy 
Hi

You should rename « permissions_classes » into « permission_classes »  (note it 
is one letter shorter).

Regads,
Xavier,
Linovia.

> Le 10 janv. 2018 à 07:48, Craig Wilson  a écrit :
> 
> I'm working through the DRF tutorial and everything has been working fine up 
> until topic Object Level Permission. I have modified my project according to 
> the tutorial but I'm still able to delete and edit records related to other 
> users.
> 
> I created permissions.py file:
> 
> from rest_framework import permissions
> 
> 
> class IsOwnerOrReadOnly(permissions.BasePermission):
> """
> Custom permission to only allow owners of an object to edit it.
> """
> def has_object_permission(self, request, view, obj):
> # Read permissions are allowed to any request,
> # so we'll always allow GET, HEAD or OPTIONS requests.
> if request.method in permissions.SAFE_METHODS:
> return True
> 
> # Write permissions are only allowed to the owner of the snippet.
> return obj.owner == request.user
> 
> and modified SnippetDetail view:
> 
> 
> class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
> """
> Retrieve update or delete a code snippet
> """
> permissions_classes = (permissions.IsAuthenticatedOrReadOnly, 
> IsOwnerOrReadOnly,)
> queryset = Snippet.objects.all()
> serializer_class = SnippetSerializer
> 
> Where am I going wrong?
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Django REST framework" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-rest-framework+unsubscr...@googlegroups.com 
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP

DRF Tutorial Object Level Permissions

2018-01-09 Thread Craig Wilson 
I'm working through the DRF tutorial and everything has been working fine 
up until topic *Object Level Permission. *I have modified my project 
according to the tutorial but I'm still able to delete and edit records 
related to other users.

I created permissions.py file:

from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
""" 
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True

# Write permissions are only allowed to the owner of the snippet.
return obj.owner == request.user

and modified SnippetDetail view:


class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
"""
Retrieve update or delete a code snippet
"""
permissions_classes = (permissions.IsAuthenticatedOrReadOnly, 
IsOwnerOrReadOnly,)
queryset = Snippet.objects.all()
serializer_class = SnippetSerializer

Where am I going wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Version 3.7.4 Released

2018-01-09 Thread Christian Ledermann 
I get the same error upgrading from 
djangorestframework==3.6.3 to djangorestframework==3.7.7


from rest_framework import viewsets
class APIBaseViewSet(viewsets.ViewSet):
   


test snippet:

  self.request = request_factory.get('/')
  view = APIBaseViewSet.as_view({'get': 'list'}, 
key='other/pattern/10/')
  response = view(self.request).render()

api_client/tests/test_views.py:53: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
venv/lib/python3.5/site-packages/django/views/decorators/csrf.py:58: in 
wrapped_view
return view_func(*args, **kwargs)
venv/lib/python3.5/site-packages/rest_framework/viewsets.py:95: in view
return self.dispatch(request, *args, **kwargs)
venv/lib/python3.5/site-packages/rest_framework/views.py:494: in dispatch
response = self.handle_exception(exc)
venv/lib/python3.5/site-packages/rest_framework/views.py:454: in 
handle_exception
self.raise_uncaught_exception(exc)
venv/lib/python3.5/site-packages/rest_framework/views.py:491: in dispatch
response = handler(request, *args, **kwargs)
api_client/views.py:147: in retrieve
return self.list(request, *args, **kwargs)
api_client/views.py:142: in list
data = self._get_data()
api_client/views.py:130: in _get_data
return self._call_proper_class(self.api_source, self._get_key())
api_client/views.py:116: in _call_proper_class
return 
json.loads(api_view(self.request).render().content.decode('utf-8'))
venv/lib/python3.5/site-packages/django/views/decorators/csrf.py:58: in 
wrapped_view
return view_func(*args, **kwargs)
venv/lib/python3.5/site-packages/rest_framework/viewsets.py:95: in view
return self.dispatch(request, *args, **kwargs)
venv/lib/python3.5/site-packages/rest_framework/views.py:477: in dispatch
request = self.initialize_request(request, *args, **kwargs)
venv/lib/python3.5/site-packages/rest_framework/viewsets.py:118: in 
initialize_request
request = super(ViewSetMixin, self).initialize_request(request, *args, 
**kwargs)
venv/lib/python3.5/site-packages/rest_framework/views.py:381: in 
initialize_request
parser_context=parser_context
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

self = , request = 

parsers = [, 
, 
]
authenticators = [, ]
negotiator = 
parser_context = {'args': (), 'kwargs': {}, 'view': 
}

def __init__(self, request, parsers=None, authenticators=None,
 negotiator=None, parser_context=None):
assert isinstance(request, HttpRequest), (
'The `request` argument must be an instance of '
'`django.http.HttpRequest`, not `{}.{}`.'
>   .format(request.__class__.__module__, 
request.__class__.__name__)
)
E   AssertionError: The `request` argument must be an instance of 
`django.http.HttpRequest`, not `rest_framework.request.Request`.

venv/lib/python3.5/site-packages/rest_framework/request.py:159: 
AssertionError





On Wednesday, 27 December 2017 20:51:37 UTC, Escher wrote:
>
> 3.7.4 is breaking my generics.ListAPIView views compared to 3.7.3: I'm 
> getting the AssertionError (here 
> )
>  
> on my ListAPIView classes. They generally look like this:
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Auth from Django, not REST Framwork

2018-01-09 Thread Thomas Güttler 
Our django based products have several APIs.

Some use DRF, some not.

Up to now the DRF based APIs use the authentication 
(authentication_classes) which gets explained here:
 
   http://www.django-rest-framework.org/api-guide/authentication/

The other APIs use Django.

Things work, there are no bugs. But I don't like the design/architecture.

Nevertheless I would like to have one way to do auth.

Solution Variant1: Use DRF for all API calls.

Solution Variant2: Do Auth exclusively via Django, do not use  
authentication_classes.

Solution Variant3: Convince the django core developers to integrate 
authentication_classes

Solution Variant4: Extract authentication_classes from DRF into a small 
re-usable app and use this.

What do you think?

Regards,
  Thomas Güttler

BTW: This is only about Auth, not about permission checking.

-- 
You received this message because you are subscribed to the Google Groups 
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-rest-framework+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.