Authorization
Djing leverages PyJinx policies to authorize incoming requests.
When Djing is accessed only by you or your development team, you may not need additional authorization before Djing handles incoming requests. However, if you provide access to Djing to your clients or a large team of developers, you may wish to authorize certain requests. For example, perhaps only administrators may delete records. Thankfully, Djing takes a simple approach to authorization that leverages PyJinx Policy feature.
Policies
To limit which users may view, create, update, or delete resources, Djing leverages PyJinx’s authorization policies. Policies are simple Python classes that organize authorization logic for a particular model or resource. For example, if your application is a blog, you may have a Post
model and a corresponding PostPolicy
within your application.
When manipulating a resource within Djing, Djing will automatically attempt to find a corresponding policy for the model. If Djing detects a policy has been registered for the model, it will automatically check that policy’s relevant authorization methods before performing their respective actions, such as:
view_any
view
create
update
replicate
delete
restore
force_delete
No additional configuration is required! So, for example, to determine which users are allowed to update a Post
model, you simply need to define an update
method on the model’s corresponding policy class:
commander djing:policy PostPolicy --model="posts.models.Post"
This will create a policy class for Post model inside djing_admin/app/Policies/PostPolicy.py
from django.contrib.auth.models import User
from posts.models import Post
class PostPolicy:
def __init__(self) -> None:
pass
def view_any(self, user: User) -> bool:
return True
def view(self, user: User, model: Post) -> bool:
return True
def create(self, user: User) -> bool:
return True
def update(self, user: User, model: Post) -> bool:
return True
def delete(self, user: User, model: Post) -> bool:
return True
def restore(self, user: User, model: Post) -> bool:
return True
def force_delete(self, user: User, model: Post) -> bool:
return True
Registering Policy
After creating policy for a model, you need to register policy to make it work. you can register policy inside djing_admin/app/Providers/DjingSeviceProvider.py
from Illuminate.Support.Facades.Gate import Gate
from djing.core.Foundation.Djing import Djing
from djing.core.Providers.DjingApplicationServiceProvider import (
DjingApplicationServiceProvider,
)
from posts.models import Post
from djing_admin.app.Policies.PostPolicy import PostPolicy
class DjingServiceProvider(DjingApplicationServiceProvider):
# ...
def register(self):
Djing.with_breadcrumbs()
Gate.policy(Post, PostPolicy)
Last updated