如何限制用户创建他们无权访问的模型

时间:2019-07-29 17:19:58

标签: django-models django-rest-framework django-rest-viewsets

我有工作区 Request 模型。一个工作空间可以分配多个用户。任何用户都可以创建请求。我想限制用户仅在他/她有权访问的那些工作区上创建请求。

当前,在我的 create 方法中,我正在明确检查用户是否已分配给工作区,如所附代码所示。但是我很好奇我是否可以使用django权限来更好地做到这一点。我已尝试实现代码中所示的 get_permissions 方法。

# models.py
from django.db import models
from django.contrib.auth.models import User

# Create your models here.

class Workspace(models.Model):
    name = models.CharField(max_length=50)
    creation_date = models.DateTimeField('creation_date', auto_now_add=True)
    users = models.ManyToManyField(User)

    def __repr__(self):
        return '<Workspace: %r, %r, %r>' % (self.id, self.name, self.users)


class Request(models.Model):
    name = models.CharField(max_length=50)
    status = models.CharField(max_length=10, default='NEW')
    status_msg = models.CharField(max_length=100, default=None, blank=True, null=True)
    query_str = models.CharField(max_length=1000)
    # user = models.ForeignKey(User, on_delete=models.DO_NOTHING)
    workspace = models.ForeignKey(Workspace, on_delete=models.DO_NOTHING)
    request_type = models.CharField(max_length=20, default='AD')
    creation_date = models.DateTimeField('creation_date', auto_now_add=True)


    def __repr__(self):
        return '<Request %r, %r, %r, %r>' % (self.id, self.query_str, self.status, self.status_msg)

# views.py
class RequestViewSet(viewsets.ModelViewSet):
    def create(self, request, *args, **kwargs):
            workspace_id = request.data['workspace']
            # check if user has access to this workspace
            if Workspace.objects.filter(pk=workspace_id).filter(users=request.user.id).exists():
                print('workspace exists')
                request.data['user'] = request.user.id
                print(request.data)
                return super(RequestViewSet, self).create(request, *args, **kwargs)
            return Response(status=status.HTTP_403_FORBIDDEN)


    def get_permissions(self):
            """
            Instantiates and returns the list of permissions that this view requires.
            """
            print(self.action)
            if self.action == 'create':
                permission_classes = [IsAuthenticated,]
            else:
                permission_classes = [IsAuthenticated,]
            print(permission_classes)
            return [permission() for permission in permission_classes]

1 个答案:

答案 0 :(得分:0)

您要应用的是对象级权限。您无需使用django权限即可执行此操作。相反,您可以通过使用request.user来实现,def your_view(request, pk): workspace = models.Workspace.objects.get(pk=pk) if request.user not in workspace.users.all(): # user is not related to that workspace, permission denied raise PermissionDenied else: # permission granted, do what you want pass 保留当前发出请求的用户。因此,您将需要以下内容:

.//[span[text()='select']

除了引发异常外,您还可以在用户没有权限时更改行为,例如返回403 HTML模板等。这取决于您的设计。

相关问题
最新问题