1. 首页
  2. 问答
  3. Django - 如何将自定义权限授予DRF中的某些用户?

Django - 如何将自定义权限授予DRF中的某些用户?

2017-06-10 82 views
0

我想要授予某些用户检索访问权限,某些用户更新访问权限,并且不会将未经身份验证的用户检索/更新访问权限授予我的DRF API。
在我的扩展用户模型中,我有两个字段定义是否允许用户检索或更新API。我应该如何在我的DRF自定义权限类中编写逻辑以检查这两个字段并根据True或False来授予检索或更新?我应该为此使用ViewSet还是使用带有Mixins的单独ListAPIView,RetrieveAPIView和UpdateAPIView类?做这个的最好方式是什么?Django - 如何将自定义权限授予DRF中的某些用户?

models.py

class UserProfile(models.Model): 
    user = models.OneToOneField(User) 
    allowRetrieveAPI = models.BooleanField(default=False,) 
    allowUpdateAPI = models.BooleanField(default=False,) 

class Track(models.Model):  
    user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, on_delete=models.SET_NULL, verbose_name="Submitted by", default=1) 
    artist = models.CharField(max_length=100,) 
    title = models.CharField(max_length=100,)

views.py

class CheckAPIPermissions(permissions.BasePermission): 
    # allow retrieve if userprofile.allowReadAPI is True 
    # allow update if user userprofile.allowUpdateAPI is True 

    def has_permission(self, request, view): 
     # return something 
    def check_object_permission(self, user, obj): 
     # return something  
    def has_object_permission(self, request, view, obj): 
     # return something 

class TrackViewSet(viewsets.ModelViewSet): 
    queryset = Track.objects.all() 
    serializer_class = TrackSerializer 
    permission_classes = (CheckAPIPermissions,)

来源

2017-06-10 bayman

+0

每个人都可以访问列表方法,然后呢? – zaidfazil

+0

我忘记了,但如果他们能够检索,他们应该被允许列表方法。 – bayman

回答

1 
class CheckAPIPermissions(permissions.BasePermission): 
    # allow retrieve if userprofile.allowReadAPI is True 
    # allow update if user userprofile.allowUpdateAPI is True 

    def has_permission(self, request, view): 
     if request.user.is_superuser: 
      return True 
     elif request.user and request.user.is_authenticated(): 
      if (request.user.userprofile.allowRetrieveAPI or request.user.userprofile.allowUpdateAPI) and view.action == 'retrieve': 
       return True 
      elif request.user.userprofile.allowUpdateAPI and view.action == 'update': 
       return True 
     return False 

    def check_object_permission(self, user, obj): 
     return (user and user.is_authenticated() and (user.is_staff or obj == user)) 


    def has_object_permission(self, request, view, obj): 
     if request.user.is_superuser: 
      return True 
     elif request.user and request.user.is_authenticated(): 
      if (request.user.userprofile.allowRetrieveAPI or request.user.userprofile.allowUpdateAPI) and view.action == 'retrieve': 
       return request.user == obj 
      elif request.user.userprofile.allowUpdateAPI and view.action == 'update': 
       return request.user == obj 
     return False

我没有测试过,只是在时间的尼克写道。

来源

2017-06-10 21:49:03 zaidfazil

相关问题

 相关问题