ํฌ์ŠคํŠธ

Permissions

๊ฒŒ์‹œ
By Gilbert Jung
1 ๋ถ„์ฝ๋Š” ์‹œ๊ฐ„
Permissions

๐Ÿ”Ž object level permissions

โ€œ๊ฐ์ฒด ์ˆ˜์ค€์˜ ํ—ˆ๊ฐ€(๊ถŒํ•œ)โ€ ๋Š” DRF์˜ generic view๊ฐ€ get_object() ๋ฉ”์†Œ๋“œ๋ฅผ ํ˜ธ์ถœํ•  ๋•Œ ์‹คํ–‰๋œ๋‹ค.

โ€œview ์ˆ˜์ค€์˜ ํ—ˆ๊ฐ€(๊ถŒํ•œ)โ€ ๊ณผ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ํ•ด๋‹น ๊ฐ์ฒด์— ๋Œ€ํ•œ ์ž‘์—…์„ ์ง„ํ–‰ํ•  ์ˆ˜ ์—†์„ ๊ฒฝ์šฐ์—๋Š”

exceptions.PermissionDenied ์˜ˆ์™ธ๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค.

๋งŒ์ผ ๋‚ด๊ฐ€ ์ž‘์„ฑํ•˜๋Š” view์—์„œ โ€œ๊ฐ์ฒด ์ˆ˜์ค€์˜ ๊ถŒํ•œโ€์„ ๊ฐ•ํ™”ํ•˜๊ณ  ์‹ถ๊ฑฐ๋‚˜, genric view์—์„œ

get_object ๋ฅผ ์žฌ์ •์˜ํ•˜๊ณ  ์‹ถ๋‹ค๋ฉด, ๊ผญ .check_object_permissions(request, obj) ๋ฉ”์†Œ๋“œ๋ฅผ

๊ผญ ์ž‘์„ฑํ•ด์ค˜์•ผ ํ•œ๋‹ค.

1
2
3
4
5

# views.py
def get_object(self,pk):
    post = get_object_or_404(self.queryset, pk=pk)
    self.check_object_permissions(self.request, post) 
    return post


๐Ÿ”Ž permissions ์ปค์Šคํ…€ํ•˜๊ธฐ

rest_framework/permissions.py ๋กœ ๊ฐ€๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™์ด ์ •์˜๋˜์–ด ์žˆ๋‹ค.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

class BasePermission(metaclass=BasePermissionMetaclass):
    """
    A base class from which all permission classes should inherit.
    """

    def has_permission(self, request, view):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True

    def has_object_permission(self, request, view, obj):
        """
        Return `True` if permission is granted, `False` otherwise.
        """
        return True

has_permission ๋ฉ”์†Œ๋“œ์˜ ๊ฒฝ์šฐ์—๋Š” ๋ชจ๋“  HTTP ์š”์ฒญ์— ์‚ฌ์šฉ๊ฐ€๋Šฅํ•˜๋‹ค

POST, GET, PUT, DELETE

๋ฐ˜๋ฉด์— has_object_permissions ๋ฉ”์†Œ๋“œ์˜ ๊ฒฝ์šฐ์—๋Š” get_object ๋ฉ”์†Œ๋“œ๋กœ ๋ถ€ํ„ฐ

ํ˜ธ์ถœ์ด ๋˜๊ธฐ ๋•Œ๋ฌธ์—, GET, PUT, DELETE ์—๋งŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค.

1
2
3
4
5

from rest_framework.permissions import BasePermission

class CustomObjectPermission(BasePermission):
    def has_object_permission(self, request, view, obj):
        return obj.user == request.user
django
drf
์ด ๊ธฐ์‚ฌ๋Š” ์ €์ž‘๊ถŒ์ž์˜ CC BY 4.0 ๋ผ์ด์„ผ์Šค๋ฅผ ๋”ฐ๋ฆ…๋‹ˆ๋‹ค.