0

I got 2 models which are connected as ManyToMany as you can see below. The thing i'm trying to achive is; serve people to users only when a user has a at least view right on the list that person belongs.

Here is my simplified models;

class List(TimeStampedModel, UserAwareModel):
    """Model definition for List."""

    name = models.CharField(_('list name'), max_length=50)
    ...


class Person(TimeStampedModel, UserAwareModel):
    """Model definition for Person."""

    member = models.ManyToManyField(List, blank=True)
    ...

Here is my my views;

class ListViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows Lists to be viewed or edited.
    """
    queryset = List.objects.all()
    serializer_class = ListSerializer
    permission_classes = (CustomObjectPermissions, DjangoModelPermissions)
    filter_backends = (filters.DjangoObjectPermissionsFilter,)

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)

class PersonViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows People to be viewed or edited.
    """
    # queryset = Person.objects.all().order_by('-created')
    serializer_class = PersonSerializer
    permission_classes = (DjangoModelPermissions, )

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user)

    def get_queryset(self):
        user = self.request.user
        allowed_lists = get_objects_for_user(user, ('view_list'), klass=List)
        queryset = set()
        for lst in allowed_lists:
            queryset.add(Person.objects.filter(member=lst))
        return queryset

Update: Thanks to mehamasum. Update the traceback with recent one (and seems more related with my get_queryset override)

Update 2: Thanks again to mehamasum. Now my code works without any error but my test user who has only view access on 'List 1' still gets all the users (those even belongs other lists) at the people endpoint. --What's the wrong with the code?--

Update 3: Appeared out get_obejcts_for_user function doesn't return results properly as mehamasum mentioned at the comments. Still searching for the reason.

thiras
  • 521
  • 1
  • 6
  • 22

1 Answers1

1

Looks like your error is thrown because you didn't specify a basename for your route in /app/really_simple_contact_management/urls.py:

router.register(r'people', PersonViewSet)

From the docs:

basename - The base to use for the URL names that are created. If unset the basename will be automatically generated based on the queryset attribute of the viewset, if it has one. Note that if the viewset does not include a queryset attribute then you must set basename when registering the viewset.

Replace the line above with:

router.register(r'people', PersonViewSet, base_name='people',)

Provide a meaningful string as base_name as per your preference and the error should go away.

Update:

You are manually building and returning a set, but the get_queryset function expected an actual Django QuerySet.

You could rewrite your function using __in operator:

def get_queryset(self):
    user = self.request.user
    allowed_lists = get_objects_for_user(user, ('view_list'), klass=List)
    return Person.objects.filter(member__in=allowed_lists)
mehamasum
  • 5,554
  • 2
  • 21
  • 30
  • Thanks for the error fix. But my main objective is still unaccomplished. I'll update the question with new get_queryset related error. – thiras Mar 03 '19 at 16:53
  • Thanks for the explanation and fast answer. I'm successfully get rid of that error. But my main purpose still unfilled. I got a test user who has only view access on list 1 but still get users whose from other lists instead of just list 1. – thiras Mar 03 '19 at 17:40
  • Does your `get_objects_for_user` function work properly? Try printing the `allowed_lists` and see if that list contains only 1. If that works properly, the above solution should work. – mehamasum Mar 03 '19 at 17:49
  • You are right. It doesn't return correctly. I'm on it to find out why. – thiras Mar 03 '19 at 18:01
  • 1
    Thanks for help. I've found the problem. It was overriding model permissions. – thiras Mar 03 '19 at 18:12