JWT for object level permission & Discussion tab about djangorestframework-simplejwt HOT 8 CLOSED

the internet is async, so nw!

jwts have public claims and private payloads. Feel free to read the docs to see how to set each.

from djangorestframework-simplejwt.

Hi,

I think this will provide an object level permission:

class IsOwnerOrReadOnlyJWT(permissions.BasePermission):
    """
    Custom JWT permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        jwt_authenticator = JWTAuthentication()
        data = jwt_authenticator.authenticate(request=request)
        if data:
            user, token = data
            if user and user.id == request.user.id == obj.owner_id:
                # Write permissions are only allowed to the owner of the object.
                return True

        # If wasn't safe method or authenticate as the owner of the object - reject.
        return False

like to hear opinions, Thanks!

from djangorestframework-simplejwt.

Hi! Great approach, and I think that's a great custom solution. I think if you want an authentication battery included package, you should take a look at django-oauth-toolkit which will come with its own claims.

I also think that, with JWTs, you could simply add claims to your JWT rather than performing backend checks for resources for everything. Some things require permissions, such as at the object level like what can the current user see, but that should be at view level.

from djangorestframework-simplejwt.

Hi @Andrew-Chen-Wang, even if authentication isn't the main goal of this library, do you think a section in the docs with an example would be a good idea? My use case doesn't require oauth and a simple extra permission does the job. I also think adding the discussions tab is a good idea. A lot of the issues aren't really issues, but people asking how to do X or Y.

from djangorestframework-simplejwt.

Happy to review a new doc section with multiple examples. Might be helpful to link to examples written in the code base instead of the docs, and embed the code.

Also happy to open Discussions tab. @jazzband/roadies are the only ones with power to do so.

from djangorestframework-simplejwt.

@Andrew-Chen-Wang

Hi! Great approach, and I think that's a great custom solution. I think if you want an authentication battery included package, you should take a look at django-oauth-toolkit which will come with its own claims.

I also think that, with JWTs, you could simply add claims to your JWT rather than performing backend checks for resources for everything. Some things require permissions, such as at the object level like what can the current user see, but that should be at view level.

I will take a look at django-oauth-toolkit ,thanks!
Can you elaborate about "simply add claims to your JWT" ?

(Sorry for the delay, had some home-assignments / interviews)

from djangorestframework-simplejwt.

Didn't understand how it could replace the above.
Or you meant to do this check in the views? (It will be DRY?)

from djangorestframework-simplejwt.

Either is fine, serializer is preferred. Doc page: https://django-rest-framework-simplejwt.readthedocs.io/en/latest/customizing_token_claims.html

from djangorestframework-simplejwt.