我想授予一些用户检索访问权限,一些用户更新访问权限,并且不授予未经身份验证的用户对我的 DRF API 的检索/更新访问权限。
在我的扩展用户模型中,我有两个字段定义是否应允许用户检索或更新 API。我应该如何在我的 DRF 自定义权限类中编写逻辑来检查这两个字段并根据 True 或 False 授予检索或更新权限?我应该为此使用 ViewSet 还是将单独的 ListAPIView、RetrieveAPIView 和 UpdateAPIView 类与 Mixins 一起使用?做这个的最好方式是什么?
模型.py
class UserProfile(models.Model):
user = models.OneToOneField(User)
allowRetrieveAPI = models.BooleanField(default=False,)
allowUpdateAPI = models.BooleanField(default=False,)
class Track(models.Model):
user = models.ForeignKey(settings.AUTH_USER_MODEL, blank=True, null=True, on_delete=models.SET_NULL, verbose_name="Submitted by", default=1)
artist = models.CharField(max_length=100,)
title = models.CharField(max_length=100,)
视图.py
class CheckAPIPermissions(permissions.BasePermission):
# allow retrieve if userprofile.allowReadAPI is True
# allow update if user userprofile.allowUpdateAPI is True
def has_permission(self, request, view):
# return something
def check_object_permission(self, user, obj):
# return something
def has_object_permission(self, request, view, obj):
# return something
class TrackViewSet(viewsets.ModelViewSet):
queryset = Track.objects.all()
serializer_class = TrackSerializer
permission_classes = (CheckAPIPermissions,)
class CheckAPIPermissions(permissions.BasePermission):
# allow retrieve if userprofile.allowReadAPI is True
# allow update if user userprofile.allowUpdateAPI is True
def has_permission(self, request, view):
if request.user.is_superuser:
return True
elif request.user and request.user.is_authenticated():
if (request.user.userprofile.allowRetrieveAPI or request.user.userprofile.allowUpdateAPI) and view.action == 'retrieve':
return True
elif request.user.userprofile.allowUpdateAPI and view.action == 'update':
return True
return False
def check_object_permission(self, user, obj):
return (user and user.is_authenticated() and (user.is_staff or obj == user))
def has_object_permission(self, request, view, obj):
if request.user.is_superuser:
return True
elif request.user and request.user.is_authenticated():
if (request.user.userprofile.allowRetrieveAPI or request.user.userprofile.allowUpdateAPI) and view.action == 'retrieve':
return request.user == obj
elif request.user.userprofile.allowUpdateAPI and view.action == 'update':
return request.user == obj
return False
我还没有测试它,只是在很短的时间内写的。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句