Configuring user permissions with django

Question

I wrote an API service with Django. I have authorized the user to list only clients via django admin panel. When I enter the django admin panel with the user name I authorize, there is no problem in the authorization.

But when I access the api service, he never sees authority.

Can you help me ?

api/permissions.py

from rest_framework.permissions import BasePermission
class IsOwner(BasePermission):
    def has_permission(self, request, view):
        return request.user and request.user.is_authenticated
    message = "you cannot change data that you do not own !"

    def has_object_permission(self, request, view, obj):
        return (obj.user == request.user) or request.user.is_superuser

views.py

class CustomerListAPIView(ListAPIView):
    serializer_class = CustomerCreateSerializer
    permission_classes = [IsOwner]
    filter_backends = [SearchFilter]
    search_fields = ['customerName', 'customerSurname', 'customerIdentityNo']

    def get_queryset(self):
        queryset = Customer.objects.filter(user=self.request.user)
        return queryset

settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
         'rest_framework.permissions.DjangoModelPermissions'
    ]
}

friends,

When I run api it does not enter "has_object_permission" at all. It only enters into "has_object_permission" when I log in from the admin panel with a user account. When I run the API, it never gets into "has_object_permission".

@IgorBelkov I am logging in with jwt token. Login with django login — Fatih mzm, Dec 14 '19 at 14:14
when you have logged in and received your token, do you sending next request (To the API service) with this token in Authorization header ? Also, you can try to add print(request.user) in your IsOwner permission to check if it's exist in the request — Igor Belkov, Dec 16 '19 at 11:19

score 0 · Answer 1 · answered Dec 18 '19 at 10:43

First, check if you got the user in the request, you can do this as I said above by adding print(request.user) in your IsOwner permission above return string.
Test if you got the user in the request when you're making requests to your API (from the browser, I guess ?).
If the function will prin None, then you need to add your JWT token in the Authorization header. Basically, it's how JWT works. You need to add string typically (Some codeword (JWT/Token), defined in your settings + ) in the Authorization header of the request, so the API will identify you as a particular user.
You can do it from different services. For example, I usually use Postman service to test and make a request to my APIs. You can find it here: https://www.getpostman.com/

I wrote this as an answer because comment length wasn't enough.

Configuring user permissions with django

1 Answers1