intersis / django-rest-serializer-field-permissions Goto Github PK

• Make it clear that this module only governs retrieve access
• Elaborate on creating new permissions
• Add doc strings to everything in preparation for Sphinx
• Build docs with sphinx
• Host on read-the-docs

I'd like to use field-permissions with a JSONField.

Hi, first of all, great work on this package!

I'm trying to use it along with DRF's nested serializers feature.
My code looks something like this:

class AccountSerializer(serializers.ModelSerializer):
    email = fields.EmailField(permission_classes=(IsAuthenticated(), ))

    class Meta:
         model = Account

class ContactSerializer(serializers.ModelSerializer):
    account = AccountSerializer(read_only=True)

    class Meta:
        model = Contact
        fields = (..., 'account', )

Unfortunately I'm getting the following error when calling the endpoint:

File ".../rest_framework_serializer_field_permissions/serializers.py", line 24, in fields
    request = self._context["request"]
KeyError: 'request'

Looks like the context is not passed to the nested serializer, so we can't access the request.

I used the workaround suggested here encode/django-rest-framework#2555 (comment) and it works but is there a nicer way to solve this?
I can help out and open a PR if you have an idea.

After trying to set up field based permissions with this library, I discovered I was unable to use permission on serializers with many=True. I believe this is likely because when you create a serializer with many=True DRF creates a ListSerializer to stand in for the serializer a user is creating.

I think a way to solve this problem would be to find some way to get the check_permission attribute to be on the ListSerializer, possibly by creating a custom list serializer.

What are your thoughts on this? If I can get some feedback I'll look into it more, implement the changes, and submit a PR.

How about adding permissions to automatically generated fields by specifying the permissions in Meta?

    class Meta:
        model = ...
        fields = [..., 'state']
        permissions = {
            'state': [...],
        }

I have a use case where I am using DRF field permissions with django-rest-framework-json-api, which uses RelatedFields in favor of Serializer fields. The current SerializerPermissionMixin is not compatible with RelatedFields - but I'm looking for something very similar to that mixin.

The URL in setup currently points to a defunct website, rather than the package repo. That means folks coming from PyPi are unlikely to be able to contribute, see issues, etc, because they can't easily find the repo for this package.

Specifically:

• Python 3.7
• Django 2.1
• DRF 3.8

Pattern tests off of DRF.

For more complex object-level field permissions, I think it could be beneficial to pass the instance that is currently being checked to the FieldPermission. This is pretty simply achieved by wrapping Serializer.to_representation(instance) and keeping track of this instance in a Serializer.current_instance variable. (This is necessary for ListSerializers, as the Serializer.instance field contains the entire list in that case).

I have tested/implemented this in a branch on my fork, and will be opening a PR for review.