我在使用tastypie 0.9.12+执行记录级授权时遇到了问题。Django Tastypie记录级授权
我的设置看起来是这样的:
型号
class UserProfile(models.Model):
def __unicode__(self):
return self.user.get_full_name()
user = models.OneToOneField(User)
class Sample(models.Model):
def __unicode__(self):
return '%s' % self.id
OPEN = 0
CLAIMED = 1
CLOSED = 2
MANUAL = 3
MODIFIED = 4
DELETED = 5
ERROR = 6
RESERVED = 7
STATUS_CHOICES = (
(OPEN, 'Open'),
(CLAIMED, 'Claimed'),
(CLOSED, 'Closed'),
(MANUAL, 'Manual'),
(MODIFIED, 'Modified'),
(DELETED, 'Deleted'),
(ERROR, 'Error'),
(RESERVED, 'Reserved'),
)
status = models.SmallIntegerField(max_length = 1, default = OPEN, choices = STATUS_CHOICES)
user_profile = models.ForeignKey(UserProfile, blank = True, null = True)
资源
class BaseResource(ModelResource):
# Base class with rather strict default settings
# All other Resources extend this and override any defaults to higher permissions
class Meta:
authentication = DjangoAuthentication()
authorization = ReadOnlyAuthorization()
allowed_methods = []
class SampleResource(BaseResource): # BaseResource defines a default Meta, setting allowed_methods and authentication for all other resources in the API
UserProfile = fields.ForeignKey(UserProfileResource, 'user_profile', null = True, full = True)
class Meta(BaseResource.Meta):
queryset = Sample.objects.all()
resource_name = 'sample'
allowed_methods = ['get', 'post', 'put', 'patch']
authorization = SampleAuthorization()
always_return_data = True
def dehydrate_status(self, bundle):
return Sample.STATUS_CHOICES[bundle.data['status']][1]
def hydrate_status(self, bundle):
bundle.data['status'] = Sample.__dict__[bundle.data['status'].upper()]
return bundle
授权
class SampleAuthorization(Authorization):
# Checks that the records' owner is either None or the logged in user
def authorize_user(self, bundle):
return bundle.obj.user_profile in (None, self.user_profile(bundle))
def user_profile(self, bundle):
return user_profile.objects.get(user = bundle.request.user)
def read_list(self, object_list, bundle):
print 'Read List'
return object_list.filter(Q(user_profile = self.user_profile(bundle)) | Q(user_profile = None))
def read_detail(self, object_list, bundle):
print 'Read Detail'
return self.authorize_user(bundle)
def create_list(self, object_list, bundle):
return object_list
def create_detail(self, object_list, bundle):
return self.authorize_user(bundle)
def update_list(self, object_list, bundle):
print 'Update List'
allowed = []
for obj in object_list:
if obj.user_profile in (None, self.user_profile(bundle)):
allowed.append(obj)
return allowed
def update_detail(self, object_list, bundle):
print 'Update Detail'
print bundle.obj.status, bundle.data['status']
# Compare status stored on the server against the user-set status
# If server status is >= user status
# Raise Unauthorized
if bundle.obj.status >= bundle.data['status']:
raise Unauthorized('New status must be higher than current status')
return self.authorize_user(bundle)
def delete_list(self, object_list, bundle):
raise Unauthorized('Deletion not allowed through API')
def delete_detail(self, object_list, bundle):
raise Unauthorized('Deletion not allowed through API')
我的问题是,似乎update_detail被调用两次,不同的输入。请求的更新尝试更改存储在服务器上的记录的状态。新状态必须高于存储的状态,否则更改是未经授权的。
当运行上面的代码,我的输出是这样的:
Read Detail
Update Detail
0 Claimed
Update Detail
1 1
[27/Mar/2013 09:35:23] "PATCH /api/1.0/sample/1/ HTTP/1.1" 401 0
在第一遍时,bundle.obj.status具有正确的价值,但bundle.data [“状态”] HAS没有被水合。在第二阶段,bundle.obj.status已经被更改为新的状态,并且新的状态HAS已被水化。
因为状态在第一次通过时未被水合,所以我无法可靠地比较它们,并且不想手动调用hydrate_status,因为它会扰乱在后台完成的整个水合过程。因为第二遍的值是相同的,不管我设置了什么状态,它总是会引发未经授权的异常。
如果方法被Tastypie用存储状态值和新状态值的不同输入调用两次,我该如何实现记录级授权?