Django Rest Framework所有者权限

Question

我使用Django Rest Framework，并在我的一个viewsets类中使用partial_update方法（PATCH）更新我的用户配置文件。我想创建一个用户的权限可以更新只有他的个人资料。

class ProfileViewSet(viewsets.ModelViewSet): 
""" 
API endpoint that allows profiles to be viewed, added, 
deleted or edited 
""" 
queryset = Profile.objects.all() 
# serializer_class = ProfileSerializer 
permission_classes = (IsAuthenticated,) 
http_method_names = ['get', 'patch'] 

def get_queryset(self): 
    user = self.request.user 
    return self.queryset.filter(user=user) 

def get_serializer_class(self): 
    if self.action == 'list': 
     return ListingMyProfileSerializer 
    if self.action == 'retrieve': 
     return ListingMyProfileSerializer 
    if self.action == 'update': 
     return ProfileSerializer 
    return ProfileSerializer 

def get_permissions(self): 
    # Your logic should be all here 
    if self.request.method == 'GET': 
     self.permission_classes = (IsAuthenticated,) 
    if self.request.method == 'PATCH': 
     self.permission_classes = (IsAuthenticated, IsOwnerOrReject) 
    return super(ProfileViewSet, self).get_permissions() 

def partial_update(self, request, pk=None): 
    ... 
    ... 

现在，一个用户可以更新他的个人资料和任何其他个人资料。 我试图创建一个权限类：IsOwnerOrReject但我不知道我必须做什么。 感谢您的帮助：d

解决：

permissions.py类：

class IsUpdateProfile(permissions.BasePermission): 

    def has_permission(self, request, view): 
     # can write custom code 
     print view.kwargs 
     try: 
      user_profile = Profile.objects.get(
       pk=view.kwargs['pk']) 
     except: 
      return False 

     if request.user.profile == user_profile: 
      return True 

     return False 

views.py：

class ProfileViewSet(viewsets.ModelViewSet): 
    queryset = Profile.objects.all() 
    # serializer_class = ProfileSerializer 
    permission_classes = (IsAuthenticated,) 
    http_method_names = ['get', 'patch', 'delete'] 
    ... 

    def get_permissions(self): 
     ... 
     if self.request.method == 'PATCH': 
      self.permission_classes = (IsAuthenticated, IsUpdateProfile) 
     return super(ProfileViewSet, self).get_permissions() 

    def partial_update(self, request, pk=None): 
     ... 

Answer 1

IsOwnerOrReject是将用户与当前登录用户相匹配的权限类别，否则它会拒绝。

在你的情况你必须定义自定义权限类。哪个检查用户将登录其他配置文件您想要应用的权限。你可以这样做：

class IsUpdateProfile(permissions.BasePermission): 

     def has_permission(self, request, view): 
      #### can write custom code 
      user = User.objects.get(pk=view.kwargs['id']) // get user from user table. 
      if request.user == user: 
       return True 
      ## if have more condition then apply 
      if more_condition: 
       return True 
      return False 

Answer 2

您可以添加自定义检查是否有权限他自己的档案。像这样的东西。

# permissions.py 
from rest_framework import permissions 
class OwnProfilePermission(permissions.BasePermission): 
    """ 
    Object-level permission to only allow updating his own profile 
    """ 
    def has_object_permission(self, request, view, obj): 
     # Read permissions are allowed to any request, 
     # so we'll always allow GET, HEAD or OPTIONS requests. 
     if request.method in permissions.SAFE_METHODS: 
      return True 

     # obj here is a UserProfile instance 
     return obj.user == request.user 


# views.py 
class ProfileViewSet(viewsets.ModelViewSet): 
    permission_classes = (IsAuthenticated, OwnProfilePermission,) 

更新：您可以删除def get_permissions(self):部分。

您可以查看documentation了解更多信息。