FAC*_*ode 3 python api django permissions django-rest-framework
我使用Django Rest Framework,在我的一个viewset类中,我有partial_update方法(PATCH)来更新我的用户配置文件.我想为一个用户创建权限,只能更新他的个人资料.
class ProfileViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows profiles to be viewed, added,
deleted or edited
"""
queryset = Profile.objects.all()
# serializer_class = ProfileSerializer
permission_classes = (IsAuthenticated,)
http_method_names = ['get', 'patch']
def get_queryset(self):
user = self.request.user
return self.queryset.filter(user=user)
def get_serializer_class(self):
if self.action == 'list':
return ListingMyProfileSerializer
if self.action == 'retrieve':
return ListingMyProfileSerializer
if self.action == 'update':
return ProfileSerializer
return ProfileSerializer
def get_permissions(self):
# Your logic should be all here
if self.request.method == 'GET':
self.permission_classes = (IsAuthenticated,)
if self.request.method == 'PATCH':
self.permission_classes = (IsAuthenticated, IsOwnerOrReject)
return super(ProfileViewSet, self).get_permissions()
def partial_update(self, request, pk=None):
...
...
现在一个用户可以更新他的个人资料和任何其他个人资 我试图创建一个权限类:IsOwnerOrReject但我不确切知道我必须做什么.谢谢你的帮助:D
解决了:
permissions.py类:
class IsUpdateProfile(permissions.BasePermission):
def has_permission(self, request, view):
# can write custom code
print view.kwargs
try:
user_profile = Profile.objects.get(
pk=view.kwargs['pk'])
except:
return False
if request.user.profile == user_profile:
return True
return False
views.py:
class ProfileViewSet(viewsets.ModelViewSet):
queryset = Profile.objects.all()
# serializer_class = ProfileSerializer
permission_classes = (IsAuthenticated,)
http_method_names = ['get', 'patch', 'delete']
...
def get_permissions(self):
...
if self.request.method == 'PATCH':
self.permission_classes = (IsAuthenticated, IsUpdateProfile)
return super(ProfileViewSet, self).get_permissions()
def partial_update(self, request, pk=None):
...
您可以添加自定义权限,以检查它是否是他自己的配置文件.像这样的东西.
# permissions.py
from rest_framework import permissions
class OwnProfilePermission(permissions.BasePermission):
"""
Object-level permission to only allow updating his own profile
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# obj here is a UserProfile instance
return obj.user == request.user
# views.py
class ProfileViewSet(viewsets.ModelViewSet):
permission_classes = (IsAuthenticated, OwnProfilePermission,)
更新:您可以删除该def get_permissions(self):部分.
您可以查看文档以获取更多信息.
IsOwnerOrReject 是将用户与当前登录用户相匹配的权限类,否则将拒绝。
在您的情况下,您必须定义自定义权限类别。检查哪个用户正在登录其他配置文件,您想申请什么权限。你可以这样做:
from django.contrib.auth.models import User ## Default Django User Model
class IsUpdateProfile(permissions.BasePermission):
def has_permission(self, request, view):
if more_condition: ## if have more condition then apply
return True
return request.user == User.objects.get(pk=view.kwargs['id'])