WEBVTT

00:00.090 --> 00:06.060
Hello everyone and welcome to this first lesson about the permission system in January's framework.

00:06.090 --> 00:12.390
In this lesson you're going to learn how to secure your REST API is with the permissions system provided

00:12.390 --> 00:16.490
by Django this framework in the context of a book CPA project.

00:16.530 --> 00:23.370
We will see how to grant access to our API only to authenticated users and grant the right.

00:23.420 --> 00:26.510
Me shows only two authorized users.

00:26.530 --> 00:32.090
Let's get started as you can see I'm currently navigating Django as frameworks documentation.

00:32.220 --> 00:38.670
You can access the permissions page by clicking on the drop down menu on API guide and then clicking

00:38.670 --> 00:39.730
on permissions.

00:39.780 --> 00:47.220
And as we can read here from setting the permission policy we see that we can easily set their permission

00:47.220 --> 00:52.140
policy for our project globally from within that say thanks.

00:52.140 --> 01:01.830
Dot fi fine it is as easy as defining a dictionary assigned to arrest frame or variable and within this

01:01.830 --> 01:05.780
dictionary as you can see we can't identify the default.

01:05.780 --> 01:09.970
Permission classes that we want to use for our project.

01:10.050 --> 01:14.690
We could for example set permissions not is authenticated as a default.

01:14.690 --> 01:23.340
Permission class to secure every end point of art REST API allowing access only to authenticated users

01:23.560 --> 01:27.640
in this we can read right here below if not specified.

01:27.690 --> 01:31.870
This is Setting default to allow in our restricted access.

01:31.950 --> 01:39.510
And this is the reason why so far during the course we've been able to make so-called unsafe requests

01:39.750 --> 01:46.230
such as a put passed and deleted without needing to be authenticated even though as we are going to

01:46.230 --> 01:47.280
see it pretty soon.

01:47.310 --> 01:55.290
Using is authenticated as global policy will automatically also secure our get and points as we can

01:55.290 --> 02:01.620
read from the API ref rez Django framework provides several different permission classes that we can

02:01.650 --> 02:04.580
integrate easily within our projects.

02:04.630 --> 02:10.740
We've already seen allow any and is authenticated but as you can read we also have easy admin user is

02:10.750 --> 02:12.510
authenticated or delete only.

02:12.520 --> 02:18.600
And in this lecture we are also going to see how we can actually specify different permissions classes

02:18.600 --> 02:25.520
for different views so that if you need to you can also specify different permissions policies for different

02:25.520 --> 02:27.470
end points of your API.

02:27.690 --> 02:35.400
So let's get started by setting up the is authenticated class as default permission class for our project.

02:35.400 --> 02:41.930
I'm not going to copy this dictionary here that we now need to copy and paste within the settings thought

02:42.000 --> 02:45.010
by file of our ebooks API project.

02:45.030 --> 02:53.850
So let us hope in these words that your code ebooks API said things that by and here at the bottom of

02:53.850 --> 03:02.040
the file we can paste settings dictionary so at least three more default permission classes this framework

03:02.160 --> 03:09.330
those permissions are not is authenticated so let's now run a development server and let's make an example

03:09.370 --> 03:10.330
a right away.

03:10.440 --> 03:12.170
Let's go back to Chrome now.

03:13.810 --> 03:18.650
And let's make a get request to slash API is Lesh ebooks.

03:18.740 --> 03:22.500
Let's try to retrieve the least of ebooks we have in our system.

03:22.610 --> 03:25.080
And as expected we get an error.

03:25.100 --> 03:33.280
First of all start was code A's GDP for 0 3 4 to be done and within the details we read detail authentication

03:33.290 --> 03:35.450
credentials were not provided.

03:35.510 --> 03:43.130
Same thing happens clearly if we just try to access the J zone content of course and the saving up as

03:43.130 --> 03:46.940
for any other end point within our API.

03:46.940 --> 03:52.450
So for example let's try to get the details of the e-book with primary key one.

03:52.730 --> 03:57.880
And of course for all three for me debt authentication and credentials who are not provided.

03:57.950 --> 04:04.730
And this is because we have set the permission policy globally so we could have said something like

04:04.790 --> 04:07.040
is authenticated or a read only.

04:07.070 --> 04:12.850
So let's try and make an example with these classes going back to visas through your code.

04:12.860 --> 04:18.170
I'm now going to change the value assigned to default permission classes.

04:18.230 --> 04:23.840
Let's restart our development server and let's now go back to Chrome.

04:24.830 --> 04:26.630
Let's make another Geth request.

04:26.660 --> 04:34.040
So let's try to retrieve the same details of the same e-book and as you can see we now get the details

04:34.040 --> 04:36.260
of these specific instance.

04:36.260 --> 04:38.660
However we cannot updated.

04:38.810 --> 04:45.020
We could try to make let's say put the request however because of this specific permission class that

04:45.040 --> 04:49.020
we are using right now any age to request are there.

04:49.020 --> 04:51.950
Dan and get to is going to be refused.

04:51.950 --> 04:53.620
If they use it that is better for me.

04:53.630 --> 04:55.540
It is not authenticated.

04:55.580 --> 05:02.390
It's rare for example to get a list of all these books and we see that we get it.

05:02.390 --> 05:07.010
We can actually retrieve and read the details of the books in our database.

05:07.010 --> 05:10.630
But as we can see we can not create any new ones.

05:10.670 --> 05:17.030
And because of that the browser Bolivia you see is not even showing us the age PML form for this powerful

05:17.030 --> 05:23.810
for land really useful the global permission policy system can be it is often not enough to satisfy

05:23.870 --> 05:26.260
each and every development use case.

05:26.300 --> 05:32.480
And that's why you can actually select as we've mentioned different permission classes for different

05:32.540 --> 05:33.390
views.

05:33.500 --> 05:35.360
So going back to these rules your code.

05:35.360 --> 05:40.700
Now first of all I'm going to comment the rest framework dictionary like so.

05:41.060 --> 05:50.200
And going back to the views that by file I'm not going to import permissions within this file from three

05:50.230 --> 05:53.700
more import permissions.

05:53.770 --> 06:01.480
And now because the way that concrete view classes are set up we can specify permission classes and

06:01.630 --> 06:08.110
we can pass a list with one or more permission classes that we want to use for our API view.

06:08.110 --> 06:15.280
So in this case let's make a simple example permissions dot is authenticated or added only.

06:15.280 --> 06:21.460
So we are using the same permission class that we've been using we've seen the rest framework dictionary

06:21.490 --> 06:25.010
but in DEA we are setting it up locally.

06:25.060 --> 06:35.210
Let's restart our development server and let's go back to Chrome yeah let's make another get the requester

06:35.720 --> 06:41.860
and you see now same as before when we set the policy globally we can get at least we've already books

06:41.870 --> 06:45.350
in our database but we cannot add any new ones.

06:45.350 --> 06:49.030
Things that are different however for deep detail end point.

06:49.040 --> 06:51.750
Let's get the details of these e-book.

06:52.080 --> 06:57.670
And you see now if we needed to we could update the instance and the same thing happens if we tried

06:57.670 --> 07:02.510
for example to leave a review for this specific book.

07:02.510 --> 07:10.970
You see we get the HDMI all four and that's because of course in our view create TBA view and in our

07:11.060 --> 07:13.190
e-book detail EPA view.

07:13.190 --> 07:19.430
We have not specified any permission classes to use and therefore Django this framework is defaulting

07:19.520 --> 07:23.550
back to the default value associated with its settings.

07:23.720 --> 07:26.460
That as we've said is allow any.

07:26.580 --> 07:30.940
Let's now focus however on the e-book EPA views.

07:31.460 --> 07:37.270
So I'm going to add permission classes to detail and point as well.

07:37.290 --> 07:43.870
Going to save restart is a development server let's now go back to Chrome once again.

07:44.360 --> 07:50.200
And so here I am now going to make a get request for the detail and point you see we no longer have

07:50.200 --> 07:51.480
the HMO for.

07:51.580 --> 07:54.460
So let's now try to make and authenticate the request them.

07:54.490 --> 08:04.370
I'm not going to log in using the admin panel to mean so let's now go back to the same endpoint point

08:04.640 --> 08:05.570
as before.

08:05.570 --> 08:13.010
And as you see we now get the HDMI form and that's because we can't now successfully make requests other

08:13.010 --> 08:19.730
than get meaning we can make both requests and delete requests that are available in these specific

08:19.730 --> 08:22.660
end point only two authenticated users.

08:22.820 --> 08:25.230
We can however do something even better than this.

08:25.310 --> 08:32.060
Let's say for example that we want to set up a permission policy that allows only our admin users to

08:32.090 --> 08:35.230
create new instances of a book.

08:35.510 --> 08:41.710
And this allows anybody else authenticated or not to get at least any way we've deemed books in our

08:41.720 --> 08:42.620
database.

08:42.680 --> 08:48.890
And in order to do so we're going to have to actually create a new permission class because you see

08:48.920 --> 08:55.190
Django This framework provides us is admin user but we want something a bit more sophisticated something

08:55.190 --> 08:58.620
like is our admin use it or read only.

08:58.700 --> 09:07.400
So let's go back to the admin interface over the project and I'm not going to create a new user that

09:07.410 --> 09:10.360
I can just call standard.

09:10.760 --> 09:12.120
I'm going to give a password

09:14.700 --> 09:18.410
like so so safe.

09:18.600 --> 09:25.520
And clearly we've now created you see a stand that user because neither stuff starts nor super users

09:25.530 --> 09:32.040
that you see are selected and because of that no stuff privileges are going to be granted to these stand

09:32.050 --> 09:32.790
that the user.

09:33.210 --> 09:39.420
However because of the specific nature of these use it is this we cannot use this site administration

09:39.420 --> 09:47.160
interface to log a user in we need therefore to include Django as frameworks to RL within our project

09:47.250 --> 09:51.550
so that we can use the browser both API to log user scene.

09:51.630 --> 10:00.210
So let us go back to visual studio code and let's open up that you address dot by file of the project

10:00.210 --> 10:00.720
itself.

10:00.720 --> 10:07.680
Basically they mean you had stood by file and E are now going to add this specific path that is you

10:07.680 --> 10:14.000
can see includes Django as frameworks you rails at your URL api dash off.

10:14.130 --> 10:25.080
So let's say let's restart our development server and let's go back crow now let's just go to for example

10:25.230 --> 10:28.150
API slash e-books.

10:29.100 --> 10:34.320
And you'll see that now we get these drop down menu where at the moment because we are currently logged

10:34.320 --> 10:39.030
in and we get logout and the same way we can now log back in.

10:39.210 --> 10:45.720
And that's because as a matter of fact we've actually added the default or the indication and points

10:45.780 --> 10:47.510
provided by Django this framework.

10:47.520 --> 10:50.130
You see logging and log out.

10:50.190 --> 10:55.940
We are then going to talk in great detail about authentication in the next section of the course.

10:55.950 --> 10:57.370
So let's now logging.

10:58.050 --> 11:08.310
We are a standard user so I'm going to API slash e-books up into click logging stand the like so you

11:08.310 --> 11:13.010
see we now can make and get requests models so post requests.

11:13.110 --> 11:19.390
So let's now go back to these ones to do code once again and within the API folder.

11:19.440 --> 11:27.150
Now going to create in your file which I'm going to call permissions that by India first of all I'm

11:27.150 --> 11:36.800
going to import the permissions module and I can now use the EAS admin use it to create a new class.

11:37.230 --> 11:40.580
So class is mean.

11:40.610 --> 11:46.010
Use it or read only which is going to extend their missions.

11:46.020 --> 11:52.900
That is admin user and we can now override the as permission method.

11:52.920 --> 12:00.560
So deaf as that mission and you see visa as your code provides us part of the code that we need.

12:00.870 --> 12:03.130
But nevertheless we need to adapt it.

12:03.480 --> 12:08.880
So yeah for example I'm going to define a variable is I mean equals super Dot.

12:08.910 --> 12:14.760
As per mission request and view and yeah I'm going to return a request.

12:14.760 --> 12:24.550
Dot method in permissions dot safe methods or is admin.

12:24.550 --> 12:26.700
So let's explain the code a little bit.

12:26.740 --> 12:34.990
First of all we get is admin by using super of as permission and because there is admin use a class

12:35.500 --> 12:43.150
you see is actually in charge of telling us even use it is admin or not we can therefore get these important

12:43.210 --> 12:51.290
information then we're going to return true if the user is admin or if the method of the request.

12:51.310 --> 12:54.760
Basically the age TTP verb is in permissions.

12:54.760 --> 12:57.230
Dot safe methods.

12:57.400 --> 13:03.790
That is you see and as we've previously mentioned covers all those age could be verbs that are not used

13:03.880 --> 13:10.070
in requests that are going to change the content basically of a database.

13:10.090 --> 13:12.020
So we can now use this class.

13:12.490 --> 13:14.630
First of all we need to import it.

13:14.650 --> 13:27.420
So from your books dot API dot permissions import is admin user Donnelly so we can now use it.

13:28.270 --> 13:36.140
Going to pass the name inside of the permission classes at least let us now restart the development

13:36.140 --> 13:41.440
server and let's go back to Chrome once again.

13:41.590 --> 13:46.200
So at the moment you see we have the HDL forum.

13:46.320 --> 13:52.270
Let's now make another target request and clearly you'll see the forum this appears.

13:52.270 --> 13:56.590
Same thing happens for the detail in point.

13:56.590 --> 14:06.740
Let's now log out and let's log back in using the admin account and you see the HMO form is now back.

14:06.760 --> 14:12.020
And that's because we are now allowed to make so-called unsafe requests.

14:12.190 --> 14:15.730
So let's actually test this ability.

14:15.730 --> 14:25.550
So updating the description once again put it and entities the description is you see has been updated.

14:25.550 --> 14:31.610
So that was it for this first lecture about the permissions sees them in Django this framework in the

14:31.610 --> 14:37.400
next lecture we're going to further our knowledge of our Django framework and those permissions by granting

14:37.400 --> 14:40.160
update and delete permissions for reviewing.

14:40.170 --> 14:42.740
This is only to use FS we've created them.