Permissions¶
PRF offers a single base class for writing your own permissions, BasePermission
. There are two methods that you
can override, has_permission()
and has_object_permission()
. The first is checked on every request to a view and
the later is checked when a specific instance of an object is being accessed in a view.
In the example below the request’s authenticated user must be an admin:
from pyramid.response import Response
from pyramid_restful.viewsets import ModelCRPDViewSet
from pyramid_restful.permissions import BasePermission
from .models import User
from .schemas import UserSchema
class IsAdminPermission(BasePermission):
message = 'You must be an admin.'
def has_permission(self, request, view):
return request.user.is_admin == True:
class UserViewSet(ModelCRPDViewSet):
model = User
schema = UserSchema
permission_classes = (IsAdminPermission,)
If you prefer you can still use pyramid’s built in authorization and permissions framework. If you are manually routing a view and using pyramid’s authorization framework you would use permissions just as you would normally:
# config is an instance of pyramid.config.Configurator
config.add_route('users', '/users/')
config.add_view(views.UserView.as_view(), route_name='user', permission='view')
If you are routing a ViewSet
and using a ViewSetRouter
you simply set your permission using the permission
kwarg:
from pyramid.routers import ViewSetRouter
def includeme(config):
router = ViewSetRouter(config)
router.register('users', views.UserViewSet, 'coop', permission='view')