我建议您在您的应用中定义一个权限 (<your-app>/permissions.py),如下所示:
class HasGroupMemberPermission(permissions.BasePermission):
message = 'Your custom message...'
methods_list = ['GET', ]
def has_permission(self, request, view):
if request.method not in methods_list:
return True
group_name ='put_your_desired_group_name_here'
if request.user.groups.filter(name__exact=group_name).exists():
return False
return True
然后,将上述权限导入您的视图模块 (<your-app>/views.py) 以及 Message 模型的序列化程序(假设为 MessageSerializer)。
from rest_framework.generics import RetrieveAPIView
from .permissions import HasGroupMemberPermission
from .serializers import MessageSerializer
class MessageView(RetrieveAPIView):
# use indicative authentication class
authentication_classes = (BasicAuthentication, )
permission_classes = (HasGroupMemberPermission, )
serializer_class = MessageSerializer
lookup_url_kwarg = 'message_id'
def get_object(self):
""" Do your query in the db """
qs = Message.objects.get(pk=self.kwargs['message_id'])
return qs
def get(self, request, *args, **kwargs):
return super().get(request, *args, **kwargs)
如果用户未通过身份验证,将返回 401。如果登录的用户不是所需组的成员,将返回 403。如果登录用户是组成员并且message_id 存在,将返回200。