diff options
| author | Tom Christie | 2012-09-12 13:11:26 +0100 |
|---|---|---|
| committer | Tom Christie | 2012-09-12 13:11:26 +0100 |
| commit | dac4cb9e8bf107f407ed8754bbef0ce97e79beb2 (patch) | |
| tree | f57fc7774d36098e6aa8cf8af416aa5382fbc3e1 /docs/api-guide/permissions.md | |
| parent | 2469cd2c837112cc8134bebc6d3ac34994529c78 (diff) | |
| download | django-rest-framework-dac4cb9e8bf107f407ed8754bbef0ce97e79beb2.tar.bz2 | |
GitHub link in toolbar
Diffstat (limited to 'docs/api-guide/permissions.md')
| -rw-r--r-- | docs/api-guide/permissions.md | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/docs/api-guide/permissions.md b/docs/api-guide/permissions.md index be22eefe..e0f3583f 100644 --- a/docs/api-guide/permissions.md +++ b/docs/api-guide/permissions.md @@ -12,7 +12,7 @@ Permission checks are always run at the very start of the view, before any other ## How permissions are determined -Permissions in REST framework are always defined as a list of permission classes. Before running the main body of the view, each permission in the list is checked. +Permissions in REST framework are always defined as a list of permission classes. Before running the main body of the view each permission in the list is checked. If any permission check fails an `exceptions.PermissionDenied` exception will be raised, and the main body of the view will not run. @@ -73,7 +73,18 @@ This permission is suitable if you want to your API to allow read permissions to ## DjangoModelPermissions -This permission class ties into Django's standard `django.contrib.auth` model permissions. When applied to a view that has a `.model` property, permission will only be granted if the user +This permission class ties into Django's standard `django.contrib.auth` [model permissions][contribauth]. When applied to a view that has a `.model` property, authorization will only be granted if the user has the relevant model permissions assigned. + +* `POST` requests require the user to have the `add` permission on the model. +* `PUT` and `PATCH` requests require the user to have the `change` permission on the model. +* `DELETE` requests require the user to have the `delete` permission on the model. + +The default behaviour can also be overridden to support custom model permissions. For example, you might want to include a `view` model permission for `GET` requests. + +To use custom model permissions, override `DjangoModelPermissions` and set the `.perms_map` property. Refer to the source code for details. + +The `DjangoModelPermissions` class also supports object-level permissions. Third-party authorization backends such as [django-guardian][guardian] should work just fine with `DjangoModelPermissions` without any custom configuration required. + ## Custom permissions @@ -84,4 +95,6 @@ The method should return `True` if the request should be granted access, and `Fa [cite]: https://developer.apple.com/library/mac/#documentation/security/Conceptual/AuthenticationAndAuthorizationGuide/Authorization/Authorization.html [authentication]: authentication.md -[throttling]: throttling.md
\ No newline at end of file +[throttling]: throttling.md +[contribauth]: https://docs.djangoproject.com/en/1.0/topics/auth/#permissions +[guardian]: https://github.com/lukaszb/django-guardian
\ No newline at end of file |