How to apply permissions on perform_create in ViewSet DRF

Question

This is my View Set:

class MyViewSet(ModelViewSet):
    serializer_class = MySerializer
    queryset = MyClass.objects.all()

   def get_serializer_class(self):
        if self.request.user.is_superuser:
            return self.serializer_class 

        return serializers.MyUserSerializer   

    def perform_create(self, serializer):
        employee = models.Employee.objects.get(user=self.request.user)
        serializer.save(employee=employee)

I want to apply permission before perform_create, this perform_create() should only be called if a currently logged in user is not a super user. If a currently logged in user is a superuser, default perform_create function should be called.

Edit: Basically I want to implement the following logic, but with the help of permissions.

def perform_create(self, serializer):
        if self.request.user.is_superuser:
            serializer.save()
        else:
            employee = models.Employee.objects.get(user=self.request.user)
            serializer.save(employee=employee)

How to do that?

Mahammadhusain kadiwala · Answer 1 · 2023-01-19T10:26:26.500

0

Try this logic

def perform_create(self, serializer):
  self.request.data.get("title", None)  # read data from request
  if self.request.user.is_authenticated and not self.request.user.is_superuser:
      instance = serializer.save(author=self.request.user)
  else:
      instance = serializer.save()

edited Jan 19 '23 at 10:26

answered Jan 19 '23 at 10:19

Mahammadhusain kadiwala

2,693
2
4
12

score 0 · Answer 2 · answered Jan 19 '23 at 10:24

0

You can use permission_classes in your Viewset class

from rest_framework.permissions import IsAuthenticated
class MyViewSet(ModelViewSet):
    permission_classes = (IsAuthenticated,)
    serializer_class = MySerializer
    queryset = MyClass.objects.all()

    ...

answered Jan 19 '23 at 10:24

Dmitry Yudin

1,033
1
10
31

This will apply IsAuthenticated permission in the whole viewset. I have edited the question. Please check. – Waleed Farrukh Jan 19 '23 at 10:56

score 0 · Answer 3 · answered Jan 19 '23 at 10:26

Try like this:

class MyViewSet(ModelViewSet):
    serializer_class = MySerializer
    queryset = MyClass.objects.all()

    def get_serializer_class(self):
        if self.request.user.is_superuser:
            return self.serializer_class 

        return serializers.MyUserSerializer   

    def perform_create(self, serializer):
        employee = models.Employee.objects.get(user=self.request.user)
        serializer.save(employee=employee)

    def has_permission(self, request, view):
        if request.user.is_superuser:
            return True
        return super().has_permission(request, view)

perform_create method will be called only then if the user is not a superuser and have permissions. has_permission method will returns True for superusers.

I tried this, but perform_create is being called for superuser as well. Basically I want to apply following login with the help of permissions: def perform_create(self, serializer): if self.request.user.is_superuser: serializer.save() else: employee = models.Employee.objects.get(user=self.request.user) serializer.save(employee=employee) — Waleed Farrukh, Jan 19 '23 at 10:44

score 0 · Answer 4 · answered Jan 19 '23 at 12:52

You can create a Custom permission see the following example.

from rest_framework import permissions

class IsNotSuperuserPermission(permissions.BasePermission):
    message = 'You are super user.' # Your custom message.

    def has_permission(self, request, view):
        if request.user.is_authenticated:
            return not request.user.is_superuser
        self.message = 'you are not logged in' # your custom message
        return False



class MyViewSet(ModelViewSet):
    serializer_class = MySerializer
    queryset = MyClass.objects.all()

    def get_serializer_class(self):
        if self.request.user.is_superuser:
            return self.serializer_class 

        return serializers.MyUserSerializer 

    def get_permissions(self):
        if self.action == 'create':
            permission_classes = [IsNotSuperuserPermission]
        else:
            permission_classes = [IsAuthenticated]
        return [permission() for permission in permission_classes]

    def perform_create(self, serializer):
        employee = models.Employee.objects.get(user=self.request.user)
        serializer.save(employee=employee)

in get_permissions you can assign one or more permission to every action.

How to apply permissions on perform_create in ViewSet DRF

4 Answers4