Does django-rules work with django rest framework viewsets?

Question

Does django-rules work with django rest framework viewsets?

limbera opened this issue 7 years ago · comments

Andreas Limberopoulos commented 7 years ago

Hi,

I am trying to integrate rules with DRF's viewsets but I keep getting an AttributeError: 'OrgViewSet' object has no attribute 'request'

Here is my viewset code:

class OrgViewSet(PermissionRequiredMixin,
                 mixins.ListModelMixin,
                 viewsets.GenericViewSet):
    permission_required = CHANGE_ORG
    queryset = Org.objects.all()
    serializer_class = OrgSerializer

Here is the stack trace

Internal Server Error: /orgs/
Traceback (most recent call last):
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/rest_framework/viewsets.py", line 86, in view
    return self.dispatch(request, *args, **kwargs)
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/django/contrib/auth/mixins.py", line 90, in dispatch
    if not self.has_permission():
  File "/Users/dre/code/treebeard/venv/lib/python3.6/site-packages/rules/contrib/views.py", line 51, in has_permission
    return self.request.user.has_perms(perms, obj)
AttributeError: 'OrgViewSet' object has no attribute 'request'

Any help would be greatly appreciated.

dfunckt · Answer 1 · Tue Jun 20 2017 03:29:04 GMT+0800 (China Standard Time)

@limbera I wouldn't expect the PermissionRequiredMixin to be compatible with DRF views out of the box -- AFAIK DRF's view hierarchy is completely separate to Django's and handles the request itself. You are probably better off trying to hook rules into DRF's permission system, rather than reusing the mixin directly.

jberends · Answer 2 · Tue Jul 04 2017 20:15:47 GMT+0800 (China Standard Time)

We use a combination of DRF with dry-rest-permissions (https://github.com/dbkaplan/dry-rest-permissions) and incorporate django-rules as predicates which are checked in the model permission checker methods. This works like a charm.

#models.py
class ModelA(Models):
    some_field = ....

    @static_method
    def has_read_permission(request)
        return request.user.has_perm("a_model:read_permission", request)

# rules.py
add_perm("a_model:read_permission", is_superuser | 
    is_authenticated & is_group_member('SomeGroup'))

#in the viewset
class SomeView(ViewSet)
    permission_classes = (IsAuthenticated, DRYPermissions)

(code examples might contains errors, written down out of my head)

dfunckt · Answer 3 · Mon Oct 30 2017 02:18:50 GMT+0800 (China Standard Time)

@escodebar hey, thanks for your work. DRF has its own permission system, that's completely separate from Django's. I know integration of rules with DRF is going to be very useful but I don't think it belongs into rules' core.

Seeing your work. given the functionality is completely additive and requires no changes to rules core in order to work, it should be trivial to make a separate package with the mixin and related tests. I'd happily link to that project from the README (and leave this ticket open as well, like, forever) so it's discoverable but I'm not inclined to accept this (or any other DRF-integration effort) into core.

dfunckt · Answer 4 · Fri Nov 17 2017 01:53:59 GMT+0800 (China Standard Time)

@escodebar, thanks, this looks great 👍

Two quick bits of feedback: I think it'd be nice to have a complete example that shows how one would setup a couple of predicates and rules before showing how django-rest-framework-rules is used with DRF, as it now reads somewhat disconnected.

The other is that the project looks like it's a fork of rules even though it shares no code and it properly brings in rules as a dependency, building extra functionality upon it. I'm really not sure if there's a way to resolve this, just saying because I think it's going to confuse a few people trying to use django-rest-framework-rules.

Pablo Escodebar · Answer 5 · Sun Nov 26 2017 18:18:22 GMT+0800 (China Standard Time)

django-rules works with django REST framework viewsets using the django-rest-framework-rules package.

lnstallation and usage are documented in django-rest-framework-rules' README, further examples can be found in django-rest-framework-rules' tests.

@dfunckt: I guess, that you can close this issue now.

dfunckt · Answer 6 · Sun Aug 11 2019 20:54:09 GMT+0800 (China Standard Time)

rules now has built-in support for Django Rest Framework (contributed by @efficiosoft in #100). See here for docs on the feature: https://github.com/dfunckt/django-rules#permissions-in-django-rest-framework

DRF support ties well with the newly-added support for automatic permissions for models -- see https://github.com/dfunckt/django-rules#permissions-in-models (also by @efficiosoft, in #99)

All in all, I think rules now integrates well with DRF -- let me know of any feedback you may have.