WEBVTT
Kind: captions
Language: en

00:00:00.030 --> 00:00:06.270
Okay so now we have a fully functioning
profile REST API however you may have

00:00:06.270 --> 00:00:11.190
noticed there is one issue with this API
and that is that any user can

00:00:11.190 --> 00:00:16.470
anonymously make changes to any other
user's profile so you can head over to

00:00:16.470 --> 00:00:20.789
the profile with ID 2 and you can
change the name change the password or

00:00:20.789 --> 00:00:25.710
change any of the details with this API
without being authenticated and you can

00:00:25.710 --> 00:00:31.830
do the same to user profile 1 now this
obviously would not work for a real API

00:00:31.830 --> 00:00:36.870
we want to be able to restrict the users
so they can only make changes to their

00:00:36.870 --> 00:00:44.219
own profile in the system we do that
using a Django permissions class so load

00:00:44.219 --> 00:00:48.600
up the atom editor and we're going to
create a new permissions class in our

00:00:48.600 --> 00:00:56.489
profiles API app create a new file
called permissions dot py and at the top of

00:00:56.489 --> 00:01:00.149
the file we're going to import the
permissions module from the rest

00:01:00.149 --> 00:01:04.830
framework this is going to provide us
with the base class that we can use to

00:01:04.830 --> 00:01:12.229
create a custom permissions class so
type from rest underscore framework

00:01:12.229 --> 00:01:21.470
import permissions and then we're going
to create a class called update own

00:01:21.470 --> 00:01:29.640
profile and we're going to base it from
permissions dot base permission as the name

00:01:29.640 --> 00:01:33.570
suggests this is the base permission
class that Django rest framework

00:01:33.570 --> 00:01:40.140
provides for making your own custom
permissions classes add the doc string

00:01:40.140 --> 00:01:47.700
allow users to edit their own profile
this is what this permission is going to

00:01:47.700 --> 00:01:54.149
allow the users to do the way you define
permission classes is you add a has

00:01:54.149 --> 00:02:00.390
object permissions function to the class
which gets called every time a request

00:02:00.390 --> 00:02:07.229
is made to the API that we assign our
permission to this function

00:02:07.229 --> 00:02:13.850
will return a true or a false to
determine whether the authenticated user

00:02:13.850 --> 00:02:17.960
has the permission to do the change
they're trying to do so let's create a

00:02:17.960 --> 00:02:25.480
new function here called def has
underscore object underscore permission

00:02:25.480 --> 00:02:37.450
then we'll pass in the argument self
request view and object or obj the

00:02:37.450 --> 00:02:44.050
docstring that we're going to assign is
check user is trying to edit their own

00:02:44.050 --> 00:02:47.200
profile

00:02:47.200 --> 00:02:50.810
So what happens here is every
time a request is made the Django rest

00:02:50.810 --> 00:02:54.710
framework will call this function has
object permission and it will pass in

00:02:54.710 --> 00:03:01.730
the request object the view and the
actual object that we're checking the

00:03:01.730 --> 00:03:08.180
permissions against so when we try and
update a user profile this gets called

00:03:08.180 --> 00:03:13.930
and all of these functions get passed in for the particular request and the

00:03:13.930 --> 00:03:18.650
attempted object that we're trying to
make the change on so we need to check

00:03:18.650 --> 00:03:24.020
whether we should allow or deny this
change and add the rules in here in the

00:03:24.020 --> 00:03:29.030
has object permission logic what we're
going to do is we're going to check the

00:03:29.030 --> 00:03:33.620
method that is being made
for the request and we're going to see

00:03:33.620 --> 00:03:40.130
whether that is in the safe methods list
so the method is the HTTP method that is

00:03:40.130 --> 00:03:46.190
being used on the current request so
that could be a HTTP GET put patch or

00:03:46.190 --> 00:03:48.700
delete request

00:03:48.700 --> 00:03:52.520
The safe methods are methods that don't require or don't make

00:03:52.520 --> 00:03:58.790
any changes to the object so a safe
method would be for example HTTP GET

00:03:58.790 --> 00:04:02.120
because all you're doing is you're
reading an object you're not actually

00:04:02.120 --> 00:04:06.860
trying to make any changes to the object
itself

00:04:06.860 --> 00:04:08.660
So we want to allow users to view

00:04:08.660 --> 00:04:15.200
other users profiles but only be able to
make changes to their own profile we do

00:04:15.200 --> 00:04:27.020
this by writing if request dot method in
permissions dot safe methods return true

00:04:27.020 --> 00:04:34.060
so if the method being used is a HTTP
GET then it will be in the safe methods

00:04:34.060 --> 00:04:39.160
therefore it will just return true and
allow the request

00:04:39.160 --> 00:04:40.520
Now we need to handle

00:04:40.520 --> 00:04:45.259
what happens if the request is not in
the safe methods for example if they're

00:04:45.260 --> 00:04:50.100
trying to do a HTTP put to update an
object

00:04:50.100 --> 00:04:51.020
What we're going to do is we're

00:04:51.020 --> 00:04:56.440
going to check whether the object
they're updating matches their

00:04:56.440 --> 00:05:02.659
authenticated user profile that is added
to the authentication of the request so

00:05:02.659 --> 00:05:07.849
when you authenticate a request in
Django rest framework it will assign the

00:05:07.849 --> 00:05:13.039
authenticated user profile to the
request and we can use this to compare

00:05:13.039 --> 00:05:19.699
it to the object that is being updated
and make sure they have the same ID we

00:05:19.699 --> 00:05:33.889
do this by typing return object dot ID and
then two equals request dot user dot ID in Python

00:05:33.889 --> 00:05:40.280
you can return a boolean of a comparison
by writing the syntax like this so when

00:05:40.280 --> 00:05:46.849
we return object dot ID equals request
dot user dot ID if this evaluates to

00:05:46.849 --> 00:05:51.680
true then it will return true and if it
doesn't evaluate to true then it will

00:05:51.680 --> 00:05:56.659
return false so when the user makes a
request we're going to check if the

00:05:56.659 --> 00:06:01.340
request is in the safe methods if it is
in the safe methods we're just going to

00:06:01.340 --> 00:06:05.630
allow the request to go through
otherwise if it's not in the safe

00:06:05.630 --> 00:06:10.370
methods so they're using an update or a delete or something like that

00:06:10.370 --> 00:06:18.289
then we will return the result of if the
object dot ID equals the request dot

00:06:18.289 --> 00:06:20.200
user dot ID

00:06:20.200 --> 00:06:24.110
this way it will return true if
the user is trying to update their own

00:06:24.110 --> 00:06:29.419
profile or otherwise it will return
false okay so that's how we create a

00:06:29.419 --> 00:06:34.639
custom permissions with the Django rest
framework make sure you save the file

00:06:34.639 --> 00:06:38.800
and then we're ready to move on to the
next video