Question

我想知道创建自定义权限的最佳方法，该权限检查用户是否在特定组中。以前，我有一个可以在视图上使用的装饰器，用于传递组名称元组和用户对象，然后检查该用户是否在指定的组中。

即：

def in_group_views(*group_names):
    """Requires user membership in at least one of the groups passed in."""

    def in_groups(u):
        if u.is_authenticated():
            if bool(u.groups.filter(name__in=group_names)) | u.is_superuser:
                return True
        return False

    return user_passes_test(in_groups)

我如何为视频集的DRF执行此操作，考虑到我需要检查不同操作（POST，PUT，GET）等的不同组成员身份等。

非常感谢，本

Answer 1

参数化权限类的明智方法是将参数放在视图类上。这样你就可以改变从视图到视图的行为。

以下是一个例子：

# permissions.py
from django.contrib.auth.models import Group
from rest_framework import permissions

def is_in_group(user, group_name):
    """
    Takes a user and a group name, and returns `True` if the user is in that group.
    """
    try:
        return Group.objects.get(name=group_name).user_set.filter(id=user.id).exists()
    except Group.DoesNotExist:
        return None

class HasGroupPermission(permissions.BasePermission):
    """
    Ensure user is in required groups.
    """

    def has_permission(self, request, view):
        # Get a mapping of methods -> required group.
        required_groups_mapping = getattr(view, "required_groups", {})

        # Determine the required groups for this particular request method.
        required_groups = required_groups_mapping.get(request.method, [])

        # Return True if the user has all the required groups or is staff.
        return all([is_in_group(request.user, group_name) if group_name != "__all__" else True for group_name in required_groups]) or (request.user and request.user.is_staff)

然后你就可以使用HasGroupPermission类了：

# views.py
class MyView(APIView):
     permission_classes = [HasGroupPermission]
     required_groups = {
         'GET': ['moderators', 'members'],
         'POST': ['moderators', 'someMadeUpGroup'],
         'PUT': ['__all__'],
     }

     ...

希望有所帮助！

Django REST框架：检查用户是否在组中

1 个答案: