在Django rest框架中,根据某些条件允许更改权限的最佳方法是什么?

2024-09-26 18:17:20 发布

您现在位置:Python中文网/ 问答频道 /正文
4472 3

我正在使用Django rest framework构建一个api,我正在使用带有CustomObjectPermissions的ModelViewSet,它对任何具有正确权限的用户都可以正常工作,但我想知道如何允许任何用户更新自己的配置文件?我的意思是这个用户不能更新其他用户,但是如果用户id是当前用户id,他可以更新一些列。此用户没有任何django权限,他只有对应用程序的访问权限。最后,我想将其与DjangoObjectPermissions一起使用

Views.py这里我想允许任何用户更新自己的配置文件

from rest_framework_simplejwt.views import TokenObtainPairView
from rest_framework import status, permissions, generics, viewsets
from rest_framework.response import Response
from rest_framework.views import APIView

from .serializers import MyTokenObtainPairSerializer, UserSerializer
from .models import User
from authentication.permisssions import CustomObjectPermissions

class ObtainTokenPairView(TokenObtainPairView):
    permission_classes = (permissions.AllowAny,)
    serializer_class = MyTokenObtainPairSerializer


class UserViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows users to be viewed or edited.
    """
    permission_classes = (CustomObjectPermissions,)
    queryset = User.objects.all().order_by('-date_joined')
    serializer_class = UserSerializer

权限.py

from rest_framework import  permissions

class CustomObjectPermissions(permissions.DjangoObjectPermissions):
    """
    Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
    """
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
        'HEAD': ['%(app_label)s.view_%(model_name)s'],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

Tags: 用户namefromimportviewrestapp权限
1条回答
网友
1楼 · 发布于 2024-09-26 18:17:20

您需要创建自定义权限以支持用户只能编辑自己的配置文件。在permissions.py中添加以下权限类

from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.created_by == request.user

相关问题 更多 >

    编程相关推荐

    热门问题