Authorization

Djing leverages PyJinx policies to authorize incoming requests.

When Djing is accessed only by you or your development team, you may not need additional authorization before Djing handles incoming requests. However, if you provide access to Djing to your clients or a large team of developers, you may wish to authorize certain requests. For example, perhaps only administrators may delete records. Thankfully, Djing takes a simple approach to authorization that leverages PyJinx Policy feature.

Policies

To limit which users may view, create, update, or delete resources, Djing leverages PyJinx’s authorization policies. Policies are simple Python classes that organize authorization logic for a particular model or resource. For example, if your application is a blog, you may have a Post model and a corresponding PostPolicy within your application.

When manipulating a resource within Djing, Djing will automatically attempt to find a corresponding policy for the model. If Djing detects a policy has been registered for the model, it will automatically check that policy’s relevant authorization methods before performing their respective actions, such as:

  • view_any

  • view

  • create

  • update

  • replicate

  • delete

  • restore

  • force_delete

No additional configuration is required! So, for example, to determine which users are allowed to update a Post model, you simply need to define an update method on the model’s corresponding policy class:

commander djing:policy PostPolicy --model="posts.models.Post"

This will create a policy class for Post model inside djing_admin/app/Policies/PostPolicy.py

djing_admin/app/Policies/PostPolicy.py
from django.contrib.auth.models import User
from posts.models import Post

class PostPolicy:
    def __init__(self) -> None:
        pass

    def view_any(self, user: User) -> bool:
        return True

    def view(self, user: User, model: Post) -> bool:
        return True

    def create(self, user: User) -> bool:
        return True

    def update(self, user: User, model: Post) -> bool:
        return True

    def delete(self, user: User, model: Post) -> bool:
        return True

    def restore(self, user: User, model: Post) -> bool:
        return True

    def force_delete(self, user: User, model: Post) -> bool:
        return True

Registering Policy

After creating policy for a model, you need to register policy to make it work. you can register policy inside djing_admin/app/Providers/DjingSeviceProvider.py

djing_admin/app/Providers/DjingServiceProvider.py
from Illuminate.Support.Facades.Gate import Gate
from djing.core.Foundation.Djing import Djing
from djing.core.Providers.DjingApplicationServiceProvider import (
    DjingApplicationServiceProvider,
)
from posts.models import Post
from djing_admin.app.Policies.PostPolicy import PostPolicy

class DjingServiceProvider(DjingApplicationServiceProvider):
    # ...

    def register(self):
        Djing.with_breadcrumbs()

        Gate.policy(Post, PostPolicy)

Last updated