Permissions and authorization

DRF Permission classes

class vng_api_common.permissions.AuthScopesRequired

class vng_api_common.permissions.BaseAuthRequired

Perform a permission check based on required scopes.

An APIView or rest_framework.viewsets.ViewSet needs to define the required_scopes attribute, mapping action to which scope is required. For APIView you can specify which HTTP method they apply to. Viewset example:

>>> class SomeViewSet(viewsets.ModelViewSet):
...     queryset = Some.objects.all()
...     permission_classes = (MainObjAuthScopesRequired,)
...     required_scopes = {
...         "retrieve": Scope("some.scope"),
...         "list": Scope("some.scope"),
...         "create": Scope("some.scope"),
...         "update": Scope("some.scope"),
...         "partial_update": Scope("some.scope"),
...         "destroy": Scope("some.scope"),
...     }

Or for APIView:

>>> class SomeView(APIView):
...     permission_classes = (BaseAuthRequiredSubclass,)
...     required_scopes = {"get": Scope("some.scope")}
...
...     def get(self, request):
...         ...

Note that you need a subclass setting get_obj or implementing _get_object().

has_object_permission(request: Request, view, obj) → bool: Return True if permission is granted, False otherwise.

has_permission(request: Request, view) → bool: Return True if permission is granted, False otherwise.

class vng_api_common.permissions.ClientIdRequired

Look at the client_id of an object and check that it equals client_id in the JWT

has_object_permission(request: Request, view, obj) → bool: Return True if permission is granted, False otherwise.

class vng_api_common.permissions.MainObjAuthScopesRequired: Perform permission checks based on the main resource of the endpoint.

class vng_api_common.permissions.RelatedObjAuthScopesRequired: Perform permission checks based on an object related to the endpoint resource.

vng_api_common.permissions.bypass_permissions(request: Request) → bool: Bypass permission checks in DEBUG when using the browsable API renderer

vng_api_common.permissions.permission_class_factory(base=<class 'vng_api_common.permissions.BaseAuthRequired'>, **attrs) → type

Build a view-specific permission class

This is just a small wrapper around type intended to keep the code readable.

Scopes

Define scopes to manage authorizations on API resources.

Scope objects hold their own definition and documentation. Public scopes get added to the scope registry, which can be introspected for automatic documentation.

class vng_api_common.scopes.Scope(label: str, description: str = None, private: bool = False)

Define a single scope object.

A scope is characterized by a label, whereas the actual permissions related to it are implemented in the view(set)s. Scopes can be OR-ed/AND-d together:

>>> Scope("foo") | Scope("bar")
Scope("foo | bar")

>>> Scope("foo") & Scope("bar")
Scope("foo & bar")

this is interpreted as: you have permission if you have one of either scopes in your authorization configuration.

Parameters:

label – A label identifying the scope. Labels must be unique.
description – An optional description of what the scope allows/means.
private – Private scopes are not added to the registry.

is_contained_in(scope_set: List[str]) → bool: Test if the flat scope_set encapsulate this scope.