如何根据请求方式设置不同的权限?
如何根据请求方式设置不同的权限?
提问于 2021-07-17 14:49:39
我正在为一些投票创建一个API。我需要作者是唯一一个谁可以查看投票,但通过认证的用户来查看投票,问题,并张贴投票。作者只是一个用户的例子,就像选民一样。我使用Djoser来提供身份验证API、模型序列化程序,并在CBV和视图集之间来回切换。
这是我的模型,如果可以帮助的话。
from django.db import models
from django.contrib.auth import get_user_model
from django.utils import timezone
import datetime
User = get_user_model()
class Poll(models.Model):
title = models.CharField(max_length=200, verbose_name="Naslov ankete")
description = models.TextField(verbose_name="Opis ankete")
author = models.ForeignKey(User, on_delete=models.CASCADE, related_name="polls", verbose_name="Autor")
class Meta:
verbose_name = "Anketa"
verbose_name_plural = "Ankete"
def __str__(self):
return self.title
class Question(models.Model):
poll = models.ForeignKey(Poll, on_delete=models.CASCADE, related_name="questions", verbose_name="Anketa")
question_text = models.CharField(max_length=200, verbose_name="Tekst pitanja")
pub_date = models.DateTimeField(verbose_name="Datum objavljivanja")
class Meta:
ordering = ["pub_date", "question_text"]
verbose_name = "Pitanje"
verbose_name_plural = "Pitanja"
def __str__(self):
return self.question_text
def was_published_recently(self):
now = timezone.now()
return now - datetime.timedelta(days=1) <= self.pub_date <= now
def verbose_question_text(self):
return f"Pitanje: {self.question_text}"
class Choice(models.Model):
question = models.ForeignKey(Question, on_delete=models.CASCADE, related_name="choices", verbose_name="Pitanje")
choice_text = models.CharField(max_length=200, verbose_name="Tekst opcije")
# votes = models.IntegerField(default=0, verbose_name="Glasovi")
class Meta:
ordering = ["-votes", "pk"]
verbose_name = "Opcija"
verbose_name_plural = "Opcije"
def __str__(self):
return self.choice_text
class Vote(models.Model):
choice = models.ForeignKey(Choice, on_delete=models.CASCADE, related_name="votes", verbose_name="Opcija")
def __str__(self):
return self.choice.choice_text附言:如果你认为投票可以用更好的方式解决,请也提出来。
回答 1
Stack Overflow用户
回答已采纳
发布于 2021-07-17 16:07:00
我认为您可以通过创建自定义权限(从IsAuthenticated类扩展)并覆盖方法has_object_permission,see documentation来完成此操作。
from rest_framework.permissions import IsAuthenticated
class AuthorFullAccessUserPostOnly(IsAuthenticated):
def has_object_permission(self, request, view, obj):
if request.method == "POST":
return True
# This part better to implement with query
# Also, it will work only for Vote object.
# You need to extend this method if you are going to use for another objects
return request.user == obj.choice.question.poll.author您可以为每个视图(或视图集)创建权限类,也可以扩展此权限类,使其与对象类型相关
如果你想对不同的请求方法使用不同的条件,你可以使用某种逻辑
class PoolPermissions(IsAuthenticated):
def has_object_permission(self, request, view, obj):
if request.method == "POST":
self.has_post_object_permission(request, view, obj)
elif request.method == "GET":
self.has_get_object_permission(request, view, obj)
elif request.method == "PUT":
self.has_put_object_permission(request, view, obj)
# etc.
...
def has_get_object_permission(self, request, view, obj):
# your logic
pass
def has_post_object_permission(self, request, view, obj):
# your logic
pass
def has_put_object_permission(self, request, view, obj):
# your logic
pass页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/68421587
复制相关文章
相似问题
腾讯云开发者
