【问题标题】:Mixins for Permissions Django REST ListCreateAPIView用于权限的混合 Django REST ListCreateAPIView
【发布时间】:2023-04-03 02:18:01
【问题描述】:

如果我可能有错误的代码,我很抱歉,但我并没有真正做 django 休息。我想从 django 的内置用户模型中检测权限。我向用户模型添加了权限,但由于某种原因 has_perm 不起作用。我改为使用 user_objects.all() 并检测权限对象是否存在。我想返回一个错误400:如果用户没有权限,则未授权。

这是我目前的解决方案(不工作):

class ProgramListCreateView(PermissionRequiredMixin,ListCreateAPIView):
    permission_required = Permission.objects.get(name="Can CRUD")
    permission_classes = (IsAuthenticated,)
    queryset = Program.objects.all()
    serializer_class = ProgramSerializer

    def check_user(self,request):
        if self.permission_required in request.user.user_permissions.all():
            return True
        return Response(status=400)

当我在未经许可的情况下发送带有用户令牌的 json 时,它仍然会创建对象

这是我的混音器:

 class PermissionRequiredMixin(object):
    user_check_failure_path = 'auth_login'
    permission_required = None

    def check_user(self, user):
        return user.has_perm(self.permission_required)

注意:由于某种原因,has_perm 总是返回 false,即使我使用 user.user_permissions.add(permission_object) 添加它也是如此

【问题讨论】:

  • 你了解 djangorest 自定义权限了吗?
  • 是的,但是文档非常有限,所以我选择使用 mixins

标签: python django django-rest-framework mixins django-generic-views


【解决方案1】:

听起来您正在尝试验证特定用户是否有权访问您的APIView

您可以简单地使用DjangoModelPermissions read more

class ProgramListCreateView(ListCreateAPIView):
    permission_classes = (IsAuthenticated, DjangoModelPermissions)
    ...

您也可以使用自定义权限read more

from rest_framework import permissions

class UserPermission(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        '''
         Object-level permission to only allow user model manipulation
        '''

        # IF you  would like to allow GET, HEAD or OPTIONS requests,
        if request.method in permissions.SAFE_METHODS:
            return True

        # check if user is owner
        return request.user == obj

用法

from custom_permission import UserPermission

class ProgramListCreateView(ListCreateAPIView):
    permission_classes = (UserPermission, )
    ...

如果您想在全球范围内获得您的许可,您可以将其包含在您的 settings.py 中

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
        'rest_framework.permissions.DjangoModelPermissions',
    )
}

【讨论】:

    【解决方案2】:

    这就是我所做的:我创建了一个扩展默认通用 API 视图的 Mixin,我只是覆盖了 put post 和 get 函数

    class MasterGenericAPIViewMixin(ListCreateAPIView, RetrieveUpdateDestroyAPIView):
    codename = None
    
    def post(self, request, *args, **kwargs):
        permission = Permission.objects.get(codename=self.codename)
        if permission not in request.user.user_permissions.all():
            return Response(status=403, data={
                "error": "not authorized to add"
            })
    
        return self.create(request, *args, **kwargs)
    
    def put(self, request, *args, **kwargs):
        permission = Permission.objects.get(codename=self.codename)
        if permission not in request.user.user_permissions.all():
            return Response(status=403, data={
                "error": "not authorized to edit"
            })
        return self.update(request, *args, **kwargs)
    
    def delete(self, request, *args, **kwargs):
        permission = Permission.objects.get(codename=self.codename)
        print(permission)
        print(request.user)
        if permission not in request.user.user_permissions.all():
            return Response(status=403, data={
                "error": "not authorized to delete"
            })
        return self.destroy(request, *args, **kwargs)
    

    我所有的观点都扩展了这个类

    【讨论】:

      猜你喜欢
      • 2018-01-09
      • 1970-01-01
      • 2017-10-28
      • 1970-01-01
      • 2021-06-15
      • 2020-06-21
      • 2020-05-02
      • 1970-01-01
      • 2016-06-17
      相关资源
      最近更新 更多