Role and Permission in Django DRF

I am implementing permission-roles in Django using DRF but not sure where i got stuck here

Here are models:

class User():
    
class Staff()
    user = models.ForeignKey(
        User, on_delete=models.CASCADE, related_name="staffs")
    business = models.ForeignKey(
        "Business", on_delete=models.CASCADE, related_name="staffs"
    )
    role =  models.PositiveSmallIntegerField (superadmin, admin, regular)
class Business()
    name = models.CharField(max_length=150)
class BusinessGallery()
    business = models.ForeignKey(
    Business, on_delete=models.CASCADE, related_name="gallery"
)

here is BusinessViewSet

class BusinessViewSet(
mixins.ListModelMixin,
mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
mixins.CreateModelMixin,
mixins.DestroyModelMixin,
viewsets.GenericViewSet):
serializer_class = BusinessSerializer

def get_permissions(self):
    action_permissions = {
        "retrieve": [IsSuperAdmin | IsAdmin | IsRegular],
        "list": [IsSuperAdmin | IsAdmin],
        "partial_update": [IsAdmin | IsSuperAdmin],
        "create": [IsAuthenticated],
        "destroy": [IsSuperAdmin],
    }

    self.permission_classes = action_permissions.get(self.action, [IsSuperAdmin])
    return super().get_permissions()

def get_queryset(self):
    return Business.objects.filter(staffs__user=self.request.user)

here is permissions.py

class RolePermission(BasePermission):
    required_role = None

    def has_permission(self, request, view):
        user = request.user
        if not user or not user.is_authenticated:
            return False

        

    def has_object_permission(self, request, view, obj):
        if not request.user or not request.user.is_authenticated:
            return False

        business = self.get_business_from_object(obj)
        if not business:
            return False

        return request.user.staffs.filter(
            business=business, role=self.required_role
        ).exists()

    def get_business_from_object(self, obj):
        if isinstance(obj, Business):
            return obj
        if hasattr(obj, "business"):
            return obj.business
        return None


class IsSuperAdmin(RolePermission):
    required_role = ROLE_SUPER_ADMIN


class IsAdmin(RolePermission):
    required_role = ROLE_ADMIN


class IsRegular(RolePermission):
    required_role = ROLE_REGULAR

Assume that i already have all setup correctly. but for some reason i can not get this test pass: i keep getting 403 forbidden.

def test_super_admin_can_retrieve_business(self):
    self.client.force_authenticate(user=self.super_admin_user)
    response = self.client.get(f"/businesses/{self.business.id}/")
    self.assertEqual(response.status_code, status.HTTP_200_OK)
    self.assertEqual(response.data["name"], self.business.name)

I have been stuck for almost 2 days but still not sure what did i do wrong to make this simple test case pass. Any suggestion will highly appreciate. Thank you

Вернуться на верх

Последние вопросы и ответы

Role and Permission in Django DRF

Is there a way to test blog post permissions in PyTest?

How do I prevent a user from creating multiple objects within 24 hours in Django

Trying to send basic string to Django Backend via POST request using axios but no data is sent

How to get Custom Adapter to respect the 'next' URL query parameter

Не работают ссылки на сайте в Django

Django Field errors not displaying

Фоновые задания в Джанго

Django - Testing async management command not working as expected

Add functionality to model creation in django admin site

Role and Permission in Django DRF

Последние вопросы и ответы

Рекомендуемые записи по теме