如何在Django Rest Framework中编辑用户权限

时间:2019-03-24 05:39:37

标签: django django-rest-framework django-permissions

我正在关注django Rest Framework的教程。我想添加基于用户的权限,以便只有经过身份验证的用户才能查看每个用户的详细信息。 目标:任何人都可以查看UserList,但只有所有者可以查看其UserDetail。

models.py 

class Meeting(models.Model):
        created = models.DateTimeField(auto_now_add=True)
        sinceWhen = models.DateTimeField(null=True)
        tilWhen = models.DateTimeField(null=True)
        owner = models.ForeignKey('auth.User', related_name='meetings', on_delete=models.CASCADE)
        #highlighted = models.TextField()

        def save(self, *args, **kwargs):
                super(Meeting, self).save(*args, **kwargs)


        class Meta:
                ordering = ('created',)

views.py 

from django.contrib.auth.models import User
# User is not created inside models.py

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserListSerializer

class UserDetail(generics.RetrieveAPIView):
        queryset = User.objects.all()
        serializer_class = UserSerializer
        permission_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly,)
# I added IsOwnerOrReadOnly to make it work, but this is the part where it causes error!

serializers.py 

class UserSerializer(serializers.ModelSerializer):
        meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())
        #owner = serializers.ReadOnlyField(source='owner.username')

        class Meta:
                model = User
                fields = ('id', 'username', 'meetings',)

class UserListSerializer(serializers.ModelSerializer):
        #meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())

        class Meta:
                model = User
                fields = ('username',)

permissions.py 

from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):  
        def has_object_permission(self, request, view, obj):

                # Any permissions are only allowed to the owner of the meeting
                return obj.owner == request.user

我取代了IsOwnerOrReadOnly,以便只有用户可以查看其用户详细信息的详细信息。 并将其添加到views.py中的Permission_class。

然后我收到此错误:

File "/home/tony/env/lib/python3.6/site-packages/rest_framework/views.py" in check_object_permissions
  345.             if not permission.has_object_permission(request, self, obj):

File "/home/tony/swpp_hw1/meetings/permissions.py" in has_object_permission
  15.       return obj.owner == request.user

Exception Type: AttributeError at /users/1/
Exception Value: 'User' object has no attribute 'owner'

我试图在Models.py中添加User类,但再次导致错误... 如何解决这个问题?

1 个答案:

答案 0 :(得分:1)

尝试将其更改为:

return obj == request.user

由于object是您要访问的用户,而request.user是当前经过身份验证的用户。

相关问题
最新问题