个人中心
gpt4 book ai didi

Django Rest Framework 相关模型权限

转载 作者:行者123 更新时间:2023-12-02 04:32:33 27 4
gpt4 key购买 nike

我正在使用 DRF 构建一个简单的 API。我有 3 个相关模型:用户、设备、数据。 (用户-设备和设备-数据之间的一对多关系)

我遇到权限问题。目前,对于用户-设备关系,经过身份验证的用户只能查看或编辑自己的设备。 (当他们创 build 备时,就会自动建立关系。)

我希望用户能够仅针对其设备查看、创建或编辑数据。例如,用户无法创建不属于他的设备的数据或查看不属于他的设备的数据。我不知道实现此目标的正确方法是什么。你能帮我解决这个问题吗?

这是我的views.py

from django.contrib.auth.models import User, Group
from rest_framework import viewsets, permissions
from iot_cloud_app.serializers import *
from iot_cloud_app.permissions import IsOwner

# Create your views here.

class DeviceViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows devices to be viewed or edited.
    """
    serializer_class = DeviceSerializer
    permission_classes = (
        IsOwner,
    )

    def get_queryset(self):
        """
        Filter devices of the user that made the request.
        """
        return Device.objects.all().filter(user=self.request.user)

    def perform_create(self, serializer):
        serializer.save(user=self.request.user)


class DataViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows device data to be viewed or edited.
    """
    serializer_class = DataSerializer

    def get_queryset(self):
        """
        Filter data of devices that belongs to user who made the request.
        """
        return Data.objects.all().filter(device__user=self.request.user)

serializers.py

from django.contrib.auth.models import User, Group
from iot_cloud_app.models import Device, Data
from rest_framework import serializers


class DeviceSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = Device
        fields = ('id', 'name', 'type', 'code')


class DataSerializer(serializers.HyperlinkedModelSerializer):
    created = serializers.ReadOnlyField()
    modified = serializers.ReadOnlyField()
    class Meta:
        model = Data
        fields = ('id', 'device', 'payload', 'created', 'modified')

编辑:permissions.py

from rest_framework import permissions


class IsOwner(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to do actions.
    """

    def has_object_permission(self, request, view, obj):
        # Permissions are only allowed to the owner of the device.
        return obj.user == request.user

谢谢。

最佳答案

由于您重写了 DataViewSet 类的 get_queryset 方法,用户将无法访问现有对象,如果对象的设备与用户不相关,他们将看到 404 错误。如果您需要 403 错误,您可以实现与 IsOwner 相同的自定义权限类:

class IsDeviceOwner(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        # Permissions are only allowed to the owner of the device.
        return obj.device.user == request.user

并在 View 集中使用它:

class DataViewSet(viewsets.ModelViewSet):
    """
    API endpoint that allows device data to be viewed or edited.
    """
    serializer_class = DataSerializer
    permission_classes = (IsDeviceOwner,)

    def get_queryset(self):
        """
        Filter data of devices that belongs to user who made the request.
        """
        return Data.objects.all().filter(device__user=self.request.user)

要限制数据创建时的设备选择,您可以实现序列化器的 validate_device 方法:

class DataSerializer(serializers.HyperlinkedModelSerializer):
    created = serializers.ReadOnlyField()
    modified = serializers.ReadOnlyField()
    class Meta:
        model = Data
        fields = ('id', 'device', 'payload', 'created', 'modified')
    def validate_device(self, value):
        if value.user != self.context['request'].user:
            raise serializers.ValidationError('Wrong device id')
        return value

关于Django Rest Framework 相关模型权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50646966/

27 4 0
文章推荐: r - 使用 R 并行加速 Bootstrap
文章推荐: c# - 我应该如何声明我的方法需要任何类?
文章推荐: xaml - Windows Phone 8 导航回同一页面
文章推荐: eigen3 - 特征不支持的张量到特征矩阵
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com