Django REST Framework integration

Installation

If you want to use Django REST Framework and Bridgekeeper together, you’ll need to add the following to your settings.py:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'bridgekeeper.rest_framework.RulePermissions',
    ),
    'DEFAULT_FILTER_BACKENDS': ('bridgekeeper.rest_framework.RuleFilter',),
}

Warning

These settings only set the default permission classes and filter backends. If you override either permission_classes or filter_backends in any APIView or ViewSet subclass, you’ll need to make sure Bridgekeeper’s classes are included in those locations too.

Permission Naming

Once you’ve changed your settings, all of your API views will automatically apply the appropriate permissions. In order for them to do so, they need to be named according to the conventional Django permission naming scheme. Given a Django app called app_name and a model called ModelName, the following permissions will be checked:

  • app_name.view_modelname for all requests.

  • app_name.add_modelname for POST requests.

  • app_name.change_modelname for PUT and PATCH requests.

  • app_name.delete_modelname for DELETE requests.

One side-effect of this is that your API consumers will not be able to make changes if they have add, change or delete permissions on some object but don’t also have view permissions for that same object. That being said, it doesn’t make sense for a user to be able to change something they can’t see anyway.