I am new in django and drf
in my project I have two group of permissions
1.normal_user group : with view_issue,view_project,view_analyzeissue
2.manager_user : with all permission as possible
i have some views that check some permissions
for example IssuesViewApi view, this view need to NormalUserPermissions
so i created new group with composition of permissions in my tests and send request to the view
my new group have view_issue,change_issue
when i send request to the IssuesViewApi i get 403 response
i have a NormalUserPermissions class
class NormalUserPermissions(permissions.BasePermission):
def has_permission(self, request: Request, view):
if request.user.has_perms(get_group_permissions("normal_user")):
return True
return False
class IssuesViewApi(generics.ListAPIView):
class IssueFilter(FilterSet):
labels = CharFilter(field_name="labels", lookup_expr='contains')
project_id = NumberFilter(field_name="project__id", lookup_expr='exact')
user_name = CharFilter(field_name="users__username", lookup_expr='exact')
start_date = DateFilter(field_name="updated_at", lookup_expr='gte')
end_date = DateFilter(field_name="updated_at", lookup_expr='lte')
class Meta:
model = Issue
fields = ["iid", 'is_analyzed', 'project_id', 'labels', 'user_name', 'start_date', 'end_date']
permission_classes = [IsAuthenticated, NormalUserPermissions]
http_method_names = ['get']
pagination_class = StandardPagination
queryset = Issue.objects.all()
serializer_class = IssueSerialize
filter_backends = [OrderingFilter, DjangoFilterBackend]
filterset_class = IssueFilter
ordering_fields = ['iid', 'weight'] # order fields depend on user request
ordering = ['iid'] # default order value
def get(self, request, *args, **kwargs):
response = super(IssuesViewApi, self).get(request, *args, **kwargs)
return Response({
'data': {
'issues': response.data['results'],
},
'paginationInfo': {
"count": response.data['count'],
"next_page": response.data['next'],
"previous_page": response.data['previous'],
"total_pages": self.paginator.page.paginator.num_pages
}
})
def test_create_custom_group_and_filter_issues_and_update_issue(self):
self.run_fake_discovery()
user = self.get_user()
user.groups.add(Group.objects.get_by_natural_key("manager_user"))
self.login(username=user.username, password="123456789")
add_group_url = reverse('group-add')
group_name = "new_group"
group_permissions = list(Permission.objects.filter(codename__in=['view_issue', 'change_issue']).all().values_list('id', flat=True))
response = self.client.post(add_group_url, data=json.dumps({'name': group_name, 'permissions': group_permissions}), content_type=self.CONTENT_TYPE)
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
self.assertTrue(Group.objects.filter(name=group_name).exists())
sync_user_groups_url = reverse('sync-users-and-groups')
test_user = User.objects.get(username='testuser')
response = self.client.post(sync_user_groups_url, data=json.dumps({'group_name': group_name, 'users': [test_user.id]}), content_type=self.CONTENT_TYPE)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue(test_user.groups.filter(name=group_name).exists())
response=self.logout()
self.assertEqual(response.status_code,status.HTTP_200_OK)
self.login(username=test_user.username, password='123456789')
filter_issue_url = reverse('issue-filter')
filter_issue_response = self.client.get(filter_issue_url, data={'username': user.username}, content_type=self.CONTENT_TYPE)
self.assertEqual(filter_issue_response.status_code, status.HTTP_200_OK)
Why all permissions checks ?
Im going to when user has view_issue permission then get response with 200 status
