How to get working @permission_required decorator?

[VetalM84]

Hi, added this decorator to endpoint @permission_required("currency.add_currency", raise_exception=True) but Ninja ignores it.
The main idea is like in DRF is to apply something like permission_classes = [IsAuthenticatedOrReadOnly]
Ho do you handle permissions?

[vitalik]

Hi @VetalM84

Could you show code example (at least how you applied decorator ? )

[VetalM84]

Hi, @vitalik

@api.post(
    "/currencies",
    response={201: CurrencyBase, 400: ErrorMsg},
    tags=["Currency"],
    auth=AuthBearer(),
)
@permission_required("currency.add_currency", raise_exception=True)
def add_new_currency(request, payload: CurrencyIn):
    """Add new currency."""
    if Currency.objects.filter(code__iexact=payload.code).exists():
        return 400, {"message": "Currency with that code already exists"}
    currency = Currency.objects.create(**payload.dict())
    return 201, currency

[vitalik]

@VetalM84 so far so good...

now can you show the permission_required code ?

[VetalM84]

It is imported from Django from django.contrib.auth.decorators import permission_required

[OtherBarry]

@VetalM84 I've made a simple permissions decorator here: https://github.com/OtherBarry/django-ninja-decorators/blob/master/ninja_decorators/permissions.py

I'm working on turning it into an actual package with tests and everything, but I'm using something similar in production code currently so the concept works.

[vitalik]

@VetalM84

I guess you need to keep in mind that ninja auth sets the request.auth attribute during authenticate (while django sets the request.user) - because in APIs it's not only user can be a principal but tokens/secrets/etc

so in order to reuse some django auth related decorators you need to set as well request.user to a User object :

from ninja.security import HttpBearer
from django.contrib.auth.models import User


class AuthBearer(HttpBearer):
    def authenticate(self, request, token):
        if token == "supersecret":
            user = User.objects.get(id=1)
            request.user = user  # <---------------- !!!!!
            return user


api = NinjaAPI(auth=AuthBearer())


@api.get('/some')
@permission_required('auth.add_user')
def someview(request, param: int = 0):
    return param