DjangoRestFramework: Not able to set permissions for custom user model-CodePudding

I've created a custom user model in my project using an abstract base user but when I'm setting permissions for my User view it's giving me a field error.

I wanted to set permission for Admin and Non-Admin users:

(a) Admin user: It can access any user (View/edit).

(b) Non-Admin user: It can access its own object (view/edit).

so something like permission_classes = [IsUserOrIsAdmin]

I've shared my corresponding model.py, serializers.py, view.py, permissions.py, and traceback for the same.

I'm working on these 2 endpoints:

path('customer/', UserListCreateAPIView.as_view()),

path('customer_info/<int:pk>/', UserRetrtieveUpdateDestroyAPIView.as_view()),

***models.py***

import email
from pyexpat import model
from django.db import models
from django.conf import settings
from django.db.models.signals import post_save
from django.dispatch import receiver

from django.contrib.auth.models import (
    BaseUserManager, AbstractBaseUser)

GENDER_CHOICES = (
    (0, 'male'),
    (1, 'female'),
    (2, 'not specified'),)

class UserManager(BaseUserManager):
  def create_user(self, email, name,contact_number,gender,address,state,city,country,pincode,dob ,password=None, password2=None):
      """
      Creates and saves a User with the given email, name, and password.
      """
      if not email:
          raise ValueError('User must have an email address')

      user = self.model(
          email=self.normalize_email(email),
          name=name,
          contact_number=contact_number,
          gender=gender,
          address=address,
          state=state,
          city=city,
          country=country,
          pincode=pincode,
          dob=dob,
          
      )

      user.set_password(password)
      
      user.save(using=self._db)
      return user

  def create_superuser(self, email, name,contact_number,gender,address,state,city,country,pincode,dob , password=None):
      """
      Creates and saves a superuser with the given email, name, and password.
      """
      user = self.create_user(
          email,
          
          name=name,
          contact_number=contact_number,
          gender=gender,
          address=address,
          state=state,
          city=city,
          country=country,
          pincode=pincode,
          dob=dob,
          password=password,
          
      )
      user.is_admin = True
      user.save(using=self._db)
      return user



class User(AbstractBaseUser):
    email = models.EmailField(verbose_name='Email',max_length=255,unique=True)
    name = models.CharField(max_length=200)
    contact_number= models.IntegerField()
    gender = models.IntegerField(choices=GENDER_CHOICES)
    address= models.CharField(max_length=100)
    state=models.CharField(max_length=100)
    city=models.CharField(max_length=100)
    country=models.CharField(max_length=100)
    pincode= models.IntegerField()
    dob = models.DateField(null= True)


    # is_staff = models.BooleanField(default=False)
    is_active = models.BooleanField(default=True)
    is_admin = models.BooleanField(default=False)
    created_at = models.DateTimeField(auto_now_add=True)
    updated_at = models.DateTimeField(auto_now=True)

    objects = UserManager()

    USERNAME_FIELD = 'email'
    REQUIRED_FIELDS = ['name','contact_number','gender','address','state','city','country','pincode','dob']

    def __str__(self):
        return self.email

    def has_perm(self, perm, obj=None):
        "Does the user have specific permission?"
        # Simplest possible answer: Yes, always
        return True

    def has_module_perms(self, app_label):
        "Does the user have permissions to view the app `app_label`?"
        # Simplest possible answer: Yes, always
        return True

    @property
    def is_staff(self):
        "Is the user a member of staff?"
        # Simplest possible answer: All admins are staff
        return self.is_admin

permission stated but not working


***permissions.py***

from django.contrib.auth import get_user_model
from rest_framework import permissions
from myapp.models import *
from rest_framework.permissions import BasePermission

User = get_user_model()


class IsUserOrIsAdmin(BasePermission):
    """Allow access to the respective User object and to admin users."""

    # def has_object_permission(self, request, view, obj):
    #     return (request.user and request.user.is_staff) or (
    #         isinstance(obj, User) and request.user == obj
    #     )

    def has_object_permission(self, request, view, obj):
        return (
           # staff can do everything
           (request.user and request.user.is_staff) or 
           # accessed obj is a Booking and belongs to the user
           (isinstance(obj, Booking) and request.user.pk == obj.user.pk) or 
           # user can access or modify his user object
           (isinstance(obj, User) and request.user.pk == obj.pk)
        )

corresponding view

***views.py***


from django.shortcuts import render
from rest_framework import viewsets
from django.http import Http404, JsonResponse
#from django.http import HttpResponse, JsonResponse
from rest_framework.views import APIView
from rest_framework.response import Response
#from rest_framework.parsers import JSONParser
from django.contrib.auth import authenticate
from rest_framework_simplejwt.tokens import RefreshToken
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import SAFE_METHODS, BasePermission,IsAuthenticatedOrReadOnly,IsAuthenticated, IsAdminUser, DjangoModelPermissionsOrAnonReadOnly, DjangoModelPermissions, AllowAny
from myapp.renderers import UserRenderer
from rest_framework import status
from rest_framework import permissions
from rest_framework import generics
from myapp.models import Airport, Flight, User, Passenger, Booking
from myapp.serializers import *
from myapp.permissions import *
from rest_framework import viewsets

class UserListCreateAPIView(generics.ListCreateAPIView):
    permission_classes = [IsUserOrIsAdmin]
    serializer_class = UserSerializer
    def get_queryset(self):
        """
        This view should return a list of all the purchases
        for the currently authenticated user.
        """
        if self.request.user.is_staff == False:

            user_data= self.request.user.id
            data = User.objects.filter(user= user_data)
            return data
        else:
            data = User.objects.all()
            return data

    
    
    
class UserRetrtieveUpdateDestroyAPIView(generics.RetrieveUpdateDestroyAPIView):
    permission_classes = [IsUserOrIsAdmin]
    serializer_class = UserSerializer
    def get_queryset(self):
        """
        This view should return a list of all the purchases
        for the currently authenticated user.
        """
        if self.request.user.is_staff == False:

            user_data= self.request.user.id
            data = User.objects.filter(user= user_data)
            return data
        else:
            data = User.objects.all()
            return data

Traceback

Traceback (most recent call last):
  FieldError(
django.core.exceptions.FieldError: Cannot resolve keyword 'user' into field. Choices are: address, booking, city, contact_number, country, created_at, dob, email, gender, id, is_active, is_admin, last_login, logentry, name, passenger, password, pincode, state, updated_at
[27/Jul/2022 06:13:35] "GET /api/v1/customer/ HTTP/1.1" 500 21434

CodePudding user response：

I believe the problem is with this line:

data = User.objects.filter(user= user_data)

Your User model does not has a user field just as your error says

Cannot resolve keyword 'user' into field. Choices are: address, booking, city, contact_number, country, created_at, dob, email, gender, id, is_active, is_admin, last_login, logentry, name, passenger, password, pincode, state, updated_at

But I can see that user_data is actually the id so maybe you could try this syntax:

data = User.objects.filter(id=user_data)