python - 在 django Rest 框架中组合 2 个自定义权限

Question

我有一个名为 Showcase 的模型，用户用它来展示项目，还有一个协作模型，用户可以在其中将协作者添加到展示中。我正在尝试实现一种情况，展示柜中的管理员和协作中的用户可以删除该协作。

为了更好地解释，在展示模型中，有一个管理展示的管理员列表。他们还可以将协作者(通过 Collaborator 模型)添加到展示中。 Collaborator 有一个用户字段，它是对展示做出贡献的用户。

我希望在添加协作者后，该用户可以删除自己(如果他不想成为展示的一部分)，或者管理员可以删除该协作者(如果添加了错误的用户并且想从那个展示中删除他)

模型.py

class Showcase(models.Model):
    title = models.CharField(max_length=50)
    description = models.TextField(null=True)
    skill_type = models.ForeignKey(Skill, on_delete=models.CASCADE)
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.DO_NOTHING, related_name="Showcases")
    content = models.TextField(null=True)
    created_on = models.DateTimeField(auto_now_add=True)
    updated_on = models.DateTimeField(auto_now=True)
    voters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="upvotes")
    slug = models.SlugField(max_length=255, unique=True)
    administrator = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="administrators", blank=True)


class Collaborator(models.Model):
    post = models.ForeignKey(Showcase, on_delete=models.CASCADE, related_name="collaborated_showcases")
    user = models.ForeignKey(settings.AUTH_USER_MODEL, 
                            on_delete=models.CASCADE, related_name="collaborators")
    skill = models.ForeignKey(Skill, on_delete=models.CASCADE, null=True, related_name="creative_type")
    role = models.TextField(null=True)
    created_on = models.DateTimeField(auto_now_add=True)
    updated_on = models.DateTimeField(auto_now=True)

权限.py

class IsUser(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return False
        return obj.user == request.user


class IsAdmin(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return False
        return request.user.administrators.filter(pk=obj.pk).exists()

查看.py

class CollaboratorDeleteView(APIView):
    '''
    Allow Administrators to delete a collaborator to a showcase 
    or allow the collaborator user to be able to delete himself 
    '''
    permission_classes = [IsAdmin]

    def delete(self, request, pk):
        collaborator = get_object_or_404(Collaborator, pk=pk)
        showcase = collaborator.post

        try:
            self.check_object_permissions(request, showcase)
            collaborator.delete()
            return Response(status=status.HTTP_204_NO_CONTENT)
        except APIException:
            return Response(status=status.HTTP_403_FORBIDDEN)

网址

path("collaborator/<int:pk>/delete/", qv.CollaboratorDeleteView.as_view(), name="collaborator-delete-view"),

现在我已经能够实现管理员可以删除协作者，但是如何在 Collaborator 模型中为用户添加另一个权限，以便能够通过该权限删除自己作为协作者相同的观点？

Answer 1

您可以使用 &(和)、| 将所需数量的权限添加到 permission_classses 属性中。 (或)和 ~(非)符号 ( doc ):

class CollaboratorDeleteView(APIView):
    '''
    Allow Administrators to delete a collaborator to a showcase 
    or allow the collaborator user to be able to delete himself 
    '''
    permission_classes = [IsAdmin|IsUser]

这两个权限现在都可以使用OR逻辑。