我使用Django Rest Framework,并在我的一个viewsets类中使用partial_update方法(PATCH)更新我的用户配置文件。我想创建一个用户的权限可以更新只有他的个人资料。Django Rest Framework所有者权限
class ProfileViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows profiles to be viewed, added,
deleted or edited
"""
queryset = Profile.objects.all()
# serializer_class = ProfileSerializer
permission_classes = (IsAuthenticated,)
http_method_names = ['get', 'patch']
def get_queryset(self):
user = self.request.user
return self.queryset.filter(user=user)
def get_serializer_class(self):
if self.action == 'list':
return ListingMyProfileSerializer
if self.action == 'retrieve':
return ListingMyProfileSerializer
if self.action == 'update':
return ProfileSerializer
return ProfileSerializer
def get_permissions(self):
# Your logic should be all here
if self.request.method == 'GET':
self.permission_classes = (IsAuthenticated,)
if self.request.method == 'PATCH':
self.permission_classes = (IsAuthenticated, IsOwnerOrReject)
return super(ProfileViewSet, self).get_permissions()
def partial_update(self, request, pk=None):
...
...
现在,一个用户可以更新他的个人资料和任何其他个人资料。 我试图创建一个权限类:IsOwnerOrReject但我不知道我必须做什么。 感谢您的帮助:d
解决:
permissions.py类:
class IsUpdateProfile(permissions.BasePermission):
def has_permission(self, request, view):
# can write custom code
print view.kwargs
try:
user_profile = Profile.objects.get(
pk=view.kwargs['pk'])
except:
return False
if request.user.profile == user_profile:
return True
return False
views.py:
class ProfileViewSet(viewsets.ModelViewSet):
queryset = Profile.objects.all()
# serializer_class = ProfileSerializer
permission_classes = (IsAuthenticated,)
http_method_names = ['get', 'patch', 'delete']
...
def get_permissions(self):
...
if self.request.method == 'PATCH':
self.permission_classes = (IsAuthenticated, IsUpdateProfile)
return super(ProfileViewSet, self).get_permissions()
def partial_update(self, request, pk=None):
...
感谢您的帮助:)我解决了问题@Aman KUmar – FACode