Jump to >


Mixins for integrating token-based authentication into an API.

class ResourceAPITokenMixin[source]

Bases: object

Augments a WebAPIResource to support API tokens.

Any WebAPIResource subclass making use of this mixin can accept requests backed by an API token, and will restrict the request to that token’s policy.

It’s recommended that all resources in a project inherit from a base resource that inherits both from this mixin and from WebAPIResource. The subclass must provide, at a minimum, a value for api_token_model.

api_token_model = None[source]

The model class for storing and accessing API token state.

api_token_access_allowed = True[source]

Whether or not a client using API tokens can access this resource.

property policy_id[source]

Return the ID used for access policies.

This defaults to the name of the resource, but can be overridden in case the name is not specific enough or there’s a conflict.

call_method_view(request, method, view, *args, **kwargs)[source]

Check token access policies and call the API method handler.

If the client has authenticated with an API token, the token’s access policies will be checked before invoking the API method handler. If the policy disallows this operation, a PERMISSION_DENIED error will be returned.

is_resource_method_allowed(resources_policy, method, resource_id)[source]

Return whether a method can be performed on a resource.

A method can be performed if a specific per-resource policy allows it, and the global policy also allows it.

The per-resource policy takes precedence over the global policy. If, for instance, the global policy blocks and the resource policies allows, the method will be allowed.

If no policies apply to this, then the default is to allow.