6
我在想Django Rest Framework的最佳实践。我一直在通过每个用户使用不同的序列化程序(工作人员与帐户所有者与其他任何人)和HTTP方法来限制访问权限,以改变帐户中的某些属性,但我感觉这太过于混乱。Django Rest框架:最佳实践?
这是完成我的任务分离出“权限”以更改对象的不同字段的最佳方式吗?还是有更好,更pythonic的方式来完成我目前以这种方式做的事情?
任何和所有批评与下面的代码被接受,因为我觉得我已经削减了一些角落。
非常感谢。
from rest_framework import serializers, viewsets
from rest_framework.permissions import SAFE_METHODS
from accounts.models import User
from cpapi.permissions import *
class UserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = User
fields = ('id', 'url', 'username', 'password')
write_only_fields = ('password',)
def restore_object(self, attrs, instance=None):
user = super(UserSerializer, self).restore_object(attrs, instance)
if 'password' in attrs.keys():
user.set_password(attrs['password'])
return user
class UserDetailsSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'username', 'password', 'email')
class UserListSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'username')
class UserWithoutNameSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'password', 'email')
class UserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows users to be viewed or edited.
"""
serializer_class = UserSerializer
model = User
def get_serializer_class(self): # Modify to allow different information for different access (userlist vs staff)
serializer_class = self.serializer_class
if 'List' in self.get_view_name():
serializer_class = UserListSerializer
elif self.request.method in ['PUT', 'PATCH']:
serializer_class = UserWithoutNameSerializer
elif self.get_object() == self.request.user or self.request.user.is_staff:
serializer_class = UserDetailsSerializer
return serializer_class
def get_permissions(self):
if self.request.method in SAFE_METHODS or self.request.method == 'POST':
return [AllowAny()]
elif self.request.method == 'DELETE':
return [IsAdminUser()]
else:
return [IsStaffOrTargetUser()]