channels-api icon indicating copy to clipboard operation
channels-api copied to clipboard
verified publisher icon linuxlewis

Permission pk field useless

Open sean-dooher opened this issue 7 years ago • 0 comments

Currently when making custom permissions, the "pk" field is useless as there is no way to actually retrieve the instance of the object you are checking against as the BasePermission class has no referent to a model type.

I ran into this issue when trying to write the following permission class to see if a user owns a model:

class IsOwner(BasePermission):
    def has_permission(self, user, action, pk):
        try:
            # have to hard code Job here because BasePermission has no reference to the Model it is checking
            job = Job.objects.get(pk=pk) 
        except Job.DoesNotExist:
            return False

        if action == "SUBSCRIBE":
            return user == job.owner
        return False

While this works for the Job model, I want to make this more general as I have other models with Owner that I want to use the same permission on. As I see it now, there's no way to generically use this field to do anything at all.

I think this was just a design oversight and I figure this can be solved pretty easily through just passing a reference to the Model of the binding to the permission class upon construction that can then be accessed from the has_permission method. I'll submit a PR with a fix once I have a chance.

sean-dooher avatar Mar 03 '18 09:03 sean-dooher