Skip to main content

Declarative access policies/permissions modeled after AWS' IAM policies.

Project description

Django REST - Access Policy

Package version Python versions

This project brings a declaritive, organized approach to managing access control in Django REST Framework projects. Each ViewSet or function-based view can be assigned an explicit policy for the exposed resource(s). No more digging through views or seralizers to understand access logic -- it's all in one place in a format that less technical stakeholders can understand. If you're familiar with other declaritive access models, such as AWS' IAM, the syntax will be familiar.

In short, you can start expressing your access rules like this:

class ArticleAccessPolicy(AccessPolicy):
    statements = [
        {
            "action": ["list", "retrieve"],
            "principal": "*",
            "effect": "allow"
        },
        {
            "action": ["publish", "unpublish"],
            "principal": ["group:editor"],
            "effect": "allow"            
        }
    ]

This project has complete test coverage and the base AccessPolicy class is only ~150 lines of code: there's no magic here.


Documentation: https://rsinger86.github.io/drf-access-policy

Source Code: https://github.com/rsinger86/drf-access-policy


Changelog

0.6.2 (July 2020)

  • Uses user.pk instead of user.id in user principal check, for compatibility with non-id primary keys.
  • Fixes to documentation. Thanks @oguzhancelikarslan!

0.6.1 (June 2020)

  • Replaces references to "delete" action with "destroy" in docs/tests, to be consistent with DRF's ViewSet actions. Thanks @greenled!

0.6.0 (May 2020)

  • Only call database-hitting get_user_group_values if needed in private method. Thanks KillianMeersman!
  • Use prefetch_related_objects to ensure that user's groups aren't fetched more than once. Thanks filwaline!

0.5.1 (December 2019)

  • Tox config updates and typo fixes in docs.

0.5.0 (September 2019)

  • Add option to define re-usable custom conditions/permissions in a module that can be referenced by multiple policies.

0.4.2 (June 2019)

  • Fixes readme format for Pypy display.

0.4.0 (June 2019)

  • Allow passing arguments to condition methods, via condition values formatted as {method_name}:{arg_value}.

0.3.0 (May 2019)

  • Adds special <safe_methods> action key that matches when the current request is an HTTP read-only method: HEAD, GET, OPTIONS.

0.2.0 (May 2019)

  • Adds special authenticated and anonymous principal keys to match any authenticated user and any non-authenticated user, respectively. Thanks @bogdandm for discussion/advice!

0.1.0 (May 2019)

  • Initial release

Testing

Tests are found in a simplified Django project in the /tests folder. Install the project requirements and do ./manage.py test to run them.

License

See License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

drf-access-policy-0.6.2.tar.gz (4.7 kB view details)

Uploaded Source

File details

Details for the file drf-access-policy-0.6.2.tar.gz.

File metadata

  • Download URL: drf-access-policy-0.6.2.tar.gz
  • Upload date:
  • Size: 4.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.32.1 CPython/3.6.7

File hashes

Hashes for drf-access-policy-0.6.2.tar.gz
Algorithm Hash digest
SHA256 a10e376b32b07f77a297a5cb9544826b77ba2436d8de5277f4bdf5eb4bf2fd62
MD5 c2e2cddf5d313b6bacec7482194bbc31
BLAKE2b-256 a4d4f0d21d872ea4699dd3d107d696de4502a0cb3b96b15768df6ea234da11b9

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page