Permissions and authorization

DRF Permission classes

class vng_api_common.permissions.AuthScopesRequired
class vng_api_common.permissions.BaseAuthRequired

Perform a permission check based on required scopes.

An APIView or rest_framework.viewsets.ViewSet needs to define the required_scopes attribute, mapping action to which scope is required. For APIView you can specify which HTTP method they apply to. Viewset example:

>>> class SomeViewSet(viewsets.ModelViewSet):
...     queryset = Some.objects.all()
...     permission_classes = (MainObjAuthScopesRequired,)
...     required_scopes = {
...         "retrieve": Scope("some.scope"),
...         "list": Scope("some.scope"),
...         "create": Scope("some.scope"),
...         "update": Scope("some.scope"),
...         "partial_update": Scope("some.scope"),
...         "destroy": Scope("some.scope"),
...     }

Or for APIView:

>>> class SomeView(APIView):
...     permission_classes = (BaseAuthRequiredSubclass,)
...     required_scopes = {"get": Scope("some.scope")}
...
...     def get(self, request):
...         ...

Note that you need a subclass setting get_obj or implementing _get_object().

has_object_permission(request: Request, view, obj) bool

Return True if permission is granted, False otherwise.

has_permission(request: Request, view) bool

Return True if permission is granted, False otherwise.

class vng_api_common.permissions.ClientIdRequired

Look at the client_id of an object and check that it equals client_id in the JWT

has_object_permission(request: Request, view, obj) bool

Return True if permission is granted, False otherwise.

class vng_api_common.permissions.MainObjAuthScopesRequired

Perform permission checks based on the main resource of the endpoint.

class vng_api_common.permissions.RelatedObjAuthScopesRequired

Perform permission checks based on an object related to the endpoint resource.

vng_api_common.permissions.bypass_permissions(request: Request) bool

Bypass permission checks in DEBUG when using the browsable API renderer

vng_api_common.permissions.permission_class_factory(base=<class 'vng_api_common.permissions.BaseAuthRequired'>, **attrs) type

Build a view-specific permission class

This is just a small wrapper around type intended to keep the code readable.

Scopes

Define scopes to manage authorizations on API resources.

Scope objects hold their own definition and documentation. Public scopes get added to the scope registry, which can be introspected for automatic documentation.

class vng_api_common.scopes.Scope(label: str, description: Optional[str] = None, private: bool = False)

Define a single scope object.

A scope is characterized by a label, whereas the actual permissions related to it are implemented in the view(set)s. Scopes can be OR-ed together:

>>> Scope("foo") | Scope("bar")
Scope("foo | bar")

this is interpreted as: you have permission if you have one of either scopes in your authorization configuration.

Parameters:
  • label – A label identifying the scope. Labels must be unique.

  • description – An optional description of what the scope allows/means.

  • private – Private scopes are not added to the registry.

is_contained_in(scope_set: List[str]) bool

Test if the flat scope_set encapsulate this scope.