个人中心
gpt4 book ai didi

django - 如何从 BasePermission 中访问 URL 参数?

转载 作者:行者123 更新时间:2023-12-04 06:17:47 24 4
gpt4 key购买 nike

我正在尝试编写自定义 rest_framework 权限,以防止用户查询与他们不同公司的信息。不幸的是,我似乎无法从 has_permission() 中访问任何 URL 参数。或 has_object_permissions() .

这是我的路由器的开头:

# Create a basic router
router = routers.SimpleRouter()
# Establish some variables to assist with nested routes
root_elem = 'companies'
root_elem_id = '/(?P<company_id>[0-9]+)'
loca_elem = '/locations'
loca_elem_id = '/(?P<location_id>[0-9]+)'
# Companies will be the root from which all other relations branch
router.register(r'' + root_elem, views.CompanyViewSet)
router.register(r'' + root_elem + root_elem_id + loca_elem,
                views.LocationViewSet)

这是我的自定义权限: 
# Only permit actions originating from location managers or company admins
class IsLocationManagerOrHigher(BasePermission):
    # Checked when displaying lists of records
    def has_permission(self, request, *args, **kwargs):
        is_correct_level = False
        # Admins can see every location if their location_id
        # matches a location that's a child of the company
        # specified in the URL
        if request.employee.is_admin:
            is_correct_level = True

        return request.user and is_correct_level

    # Checked when viewing specific records
    def has_object_permission(self, request, view, obj):
        is_correct_level = False
        # Admins can see location details if their location's company_id
        # matches a Location's company_id
        if request.employee.is_admin:
            is_correct_level = True
        # Managers can see location details if it's their location
        elif obj.id == request.employee.location_id and request.employee.is_manager:
            is_correct_level = True

        return request.user and is_correct_level

现在正在检查 request.employee.is_admin只是我需要的一半 - 我还需要访问 company_id来自 URL 并确保它匹配管理员的位置 company_id : 
# Pseudocode
try:
    user_location = Location.objects.get(id=request.employee.location_id)
    return user_location.company_id == kwargs['company_id']
except ObjectDoesNotExist:
    pass

我还没有弄清楚如何将这些参数传递到 Permission 中,以便它可以执行这个额外的步骤。或者也许有更好的方法来完成我正在尝试做的事情?

最佳答案

如果你不能直接传递它们(这会更好),它们在请求对象上可用:

company_id = request.resolver_match.kwargs.get('company_id')
request.resolver_match.argsrequest.resolver_match.kwargs包含在您的 url 中捕获的位置/关键字参数。

关于django - 如何从 BasePermission 中访问 URL 参数?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29660423/

24 4 0
文章推荐: filepicker.io - Filepicker 拖放小部件大小
文章推荐: scala - 纯函数式编译器如何用类型信息注释 AST?
文章推荐: ruby-on-rails - 如何在没有 "root"节点和 rabl 的情况下使用不同的模板进行收集
文章推荐: ruby-on-rails - Rails 应用程序单选按钮不更新 bool 字段
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com