40
Since DRF 3.2.0, You only have to add a message attribute :
from rest_framework import permissions
class CustomerAccessPermission(permissions.BasePermission):
message = 'Adding customers not allowed.'
def has_permission(self, request, view):
See from DRF documentation: http://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
16
From DRF
you can simply add message attribute.
from rest_framework import permissions
class IsSuperUserPermission(permissions.BasePermission):
message = 'User is not superuser'
def has_permission(self, request, view):
return self.request.user.is_superuser
It will return a dict with key detail, something like this:
{
'detail': 'User is not superuser'
}
But what if you want for example that the
dictkey not to bedetailbuterrorsfor example, it will be the same howreturnerrors DRF.
We can set message attribute not to string but to dict, something like this:
class IsSuperUserPermission(permissions.BasePermission):
message = {'errors': ['User is not a superuser']}
def has_permission(self, request, view):
self.message['errors'].clear()
return self.request.user.is_superuser
In this case the error will be:
{
'errors': ['User is not a superuser']
}
- [Django]-Django: signal when user logs in?
- [Django]-How to set a Django model field's default value to a function call / callable (e.g., a date relative to the time of model object creation)
- [Django]-Django Admin Form for Many to many relationship
10
when permission isn’t granted, I will raise a exception which custom response.
It works on djangorestframewor(3.10.1) and django(2.2.3).
from rest_framework.permissions import BasePermission
from rest_framework.exceptions import APIException
from rest_framework import status
class IsLogin(BasePermission):
"""
Allows access only to authenticated users.
"""
def has_permission(self, request, view):
if request.email:
return True
raise NeedLogin()
class NeedLogin(APIException):
status_code = status.HTTP_403_FORBIDDEN
default_detail = {'error': True, 'message': 'need login'}
default_code = 'not_authenticated'
- [Django]-Site matching query does not exist
- [Django]-Django.contrib.gis.db.backends.postgis vs django.db.backends.postgresql_psycopg2
- [Django]-Django – Reverse for '' not found. '' is not a valid view function or pattern name
2
Building on Aysennoussi’s answer:
from rest_framework import permissions
class CustomerAccessPermission(permissions.BasePermission):
message = 'Adding customers not allowed.'
def has_permission(self, request, view):
if request.user.has_expired:
self.message = “Your account has expired.”
return False
elif request.user.has_access:
return True
else:
return False
- [Django]-Creating my own context processor in django
- [Django]-How can i test for an empty queryset in Django?
- [Django]-Django: Does unique_together imply db_index=True in the same way that ForeignKey does?
1
By default, it is handled by default exception handler, and it is raising a standard message – https://github.com/tomchristie/django-rest-framework/blob/2eb9107b875972e442ed73eef0e653fd4480d873/rest_framework/views.py#L82
But, you can set own EXCEPTION_HANDLER in settings of DRF, and handle PermissionDenied exception to return message you want.
See description at http://www.django-rest-framework.org/api-guide/settings/
- [Django]-Django REST Framework how to specify error code when raising validation error in serializer
- [Django]-How to resolve "iterator should return strings, not bytes"
- [Django]-Django Selective Dumpdata
0
I faced the same problem using DRF 3.9.4. As a workaround I defined just a simple message property in the custom permission class and it works. You can also use getattr with the same result I guess.
class IPWhitelistPermission(permissions.BasePermission):
def __init__(self):
super(IPWhitelistPermission, self).__init__()
self._client_ip = None
def has_permission(self, request, view):
ip = get_client_ip(request)
ret = IPWhitelist.is_whitelisted(ip)
if not ret:
logger = logging.getLogger('access')
logger.warn("Unauthorized access from IP %s" % ip)
self._client_ip = ip
return ret
@property
def message(self):
return "This IP is not whitelisted [{}]".format(self._client_ip)
- [Django]-Django removing object from ManyToMany relationship
- [Django]-Django manage.py Unknown command: 'syncdb'
- [Django]-Pagination in Django-Rest-Framework using API-View
0
You can send more than a single customized message if you want to.
You can do it using GenericAPIException.
Step 1: Create a permissions.py file and write this code.
class Check_user_permission(permissions.BasePermission):
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True
else:
response ={
"success": "false",
'message': "Post request is not allowed for user from admin group",
"status_code":403,
}
raise GenericAPIException(detail=response, status_code=403)
Here, response is the JSON response you want to send.
Step 2: Go to view.py file and add the class Check_user_permission in the permission_classes list this way:
class UserList(APIView):
permission_classes = (IsAuthenticated, Check_user_permission)
authentication_class = JSONWebTokenAuthentication
...
...
Now if you go to the endpoint and send a POST request you’ll get this response.
{
"success": "false",
"message": "Post request is not allowed!",
"status_code": 403
}
- [Django]-Django Celery – Cannot connect to amqp://guest@127.0.0.8000:5672//
- [Django]-How do I subtract two dates in Django/Python?
- [Django]-How to delete project in django
0
Simple method use PermissionDenied class, and raise exception:
from rest_framework.exceptions import PermissionDenied
...
if allowed:
return True
else:
# return False
raise PermissionDenied('custom message')
...
- [Django]-Django: TypeError: 'tuple' object is not callable
- [Django]-Saving image/file through django shell
- [Django]-In django, how do I sort a model on a field and then get the last item?