【问题标题】:How to allow/ reject api permisions based on user group in django rest framework如何在 django rest 框架中基于用户组允许/拒绝 api 权限
【发布时间】:2020-01-28 11:05:05
【问题描述】:

我有 2 组用户 Creator 和 viewer Creator 可以创建、更新、查看、删除数据,而 Viewer 只能查看数据。

我无法理解如何轻松实现它们。:稍后如果我可能必须为不同的模型允许某些杂物。我觉得如果组可以拥有自定义访问权限,我将拥有完全控制权,也许是自定义类

我已经分离了 api,现在需要检查组是否匹配,然后允许对 api 进行操作。

serializer.py

from rest_framework import serializers
from trackit_create.models import upload_status_image, track_info
from django.contrib.auth.models import Group



class StatusSerializer(serializers.ModelSerializer):

    class Meta:
        model=track_info
        fields = ('id','description','Manufacture','user','Cost','image')

views.py

 has option to create data 
class AssetCreator(mixins.CreateModelMixin, generics.ListAPIView,mixins.ListModelMixin):
    serializer_class =StatusSerializer
    authentication_classes= [TokenAuthentication]
    permission_classes = [permissions.IsAuthenticated]


    # def get(self, request, *args, **kwags):
    #     return self.get(request, *args, **kwags)

    def get_queryset(self):
        qs= track_info.objects.all()
        query= self.request.GET.get('q')
        if query is not None:
            qs=qs.filter(content__icontains=query)
            return qs

    def get_object(self):
        request = self.request
        passed_id = request.GET.get('id',None)
        queryset =self.get_queryset()

        if passed_id is not None:
            obj = get_object_or_404(queryset, id = passed_id)
            self.check_object_permissions(request, obj)        
        return obj       

    def post(self, request, *args, **kwags):
        return self.create(request, *args, **kwags)


# has permision to edit, delete data based on the 
class StatusAPIDetailView(mixins.UpdateModelMixin, mixins.DestroyModelMixin, generics.RetrieveAPIView):


    serializer_class = StatusSerializer
    authentication_classes= [TokenAuthentication]    
    permission_classes = [permissions.IsAuthenticated]    
    queryset= track_info.objects.all()
    lookup_field ='id'


    def put(self,request,*args,**kwargs):
        return self.update(request, *args, **kwargs)


    def delete(self,request,*args,**kwargs):
        return self.destroy (request, *args, **kwargs)

    def patch(self,request,*args,**kwargs):
        return self.update (request, *args, **kwargs)

    def perform_update(self, serializer):
        serializer.save(updated_by_user= self.request.user)

    def perform_destroy(self,request):
        if instance is not None:
            return instance.delete()        
        return None


class AssetGetlist(APIView):
    permission_classes = [permissions.IsAuthenticated]
    authentication_classes= [TokenAuthentication]
    def get(self,request,format=None):
        qs = track_info.objects.all()
        query_set = Group.objects.filter(user = request.user)
        print ("fgfgf",query_set) # getting the group user is in 
        pm=print(query_set[0])
        #data={'grp':pm}           
        serializer= StatusSerializer(qs, many=True)
        return Response(serializer.data, status =status.HTTP_200_OK)

models.py

class track_info(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete= models.CASCADE)
    Entry_date = models.DateField(auto_now_add=True) 
    description = models.TextField(null=True, blank=True)
    image = models.ImageField(null=True, blank=True)
    Manufacture= models.CharField(max_length=100)
    Cost = models.IntegerField(null=True, blank=True)

我参考了https://www.botreetechnologies.com/blog/django-user-groups-and-permission 但我不能把它和我的代码联系起来

也参考了堆栈溢出但无法解决

【问题讨论】:

    标签: django django-rest-framework


    【解决方案1】:

    您可以通过扩展 Django Rest Framework BasePermission 创建一个 custom permission class

    您需要实现has_permission 方法,您可以在其中访问请求和视图对象。您可以检查 request.user 是否在正确的组中,并根据需要返回 True/False。

    类似这样的:

    from rest_framework.permissions import BasePermission
    
    class CreatorOnly(BasePermission):
        def has_permission(self, request, view):
            if request.user.groups.filter(name='your_creator_group').exists() and request.method in YOUR_ALLOWED_METHODS:
               return True
            return False
    

    然后将其添加到您的查看权限列表中:

    class AssetCreator(mixins.CreateModelMixin, generics.ListAPIView,mixins.ListModelMixin):
        ...
        permission_classes = [CreatorOnly]
    

    【讨论】:

    • 如何提及 YOUR_ALLOWED_METHODS .. 我使用过 inbuild Safe_method 但想用我自己的自定义方法。
    • @SouravRoy YOUR_ALLOWED_METHODS 只是方法名称的元组(如“GET”、“POST”、“HEAD”等)。您可以允许创作者使用POST,而观众组只能使用GET
    猜你喜欢
    • 2021-07-31
    • 2017-12-30
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2017-04-13
    • 2016-11-20
    • 2017-06-11
    • 1970-01-01
    相关资源
    最近更新 更多