如何使用Django Tastypie限制对当前用户的用户API响应?

时间:2014-06-17 16:56:41

标签: python django tastypie

我正在尝试使用Django Tastypie来创建一个简单的API。我有自定义身份验证(不是真正的自定义,因为它直接从他们的示例复制),只从当前用户公开entries。它会返回所有用户,我只希望它显示已登录的用户。现在我正在使用它作为我的api.py

class UserResource(ModelResource):
    class Meta:
        queryset = User.objects.all()
        excludes = ['password', 'is_superuser']
        resource_name = 'user'
       authentication=MultiAuthentication(SessionAuthentication(),ApiKeyAuthentication())
        authorization=DjangoAuthorization()
        allow_methods=['get']

class EntryResource(ModelResource):
    user = fields.ForeignKey(UserResource, 'user')
    class Meta:
        queryset = Entry.objects.all()
        resource_name = 'entry'
        authentication=MultiAuthentication(SessionAuthentication(),ApiKeyAuthentication())
        authorization=UserObjectsOnlyAuthorization()

这适用于UserObjectsOnlyAuthorization 

from tastypie.authorization import Authorization
from tastypie.exceptions import Unauthorized


class UserObjectsOnlyAuthorization(Authorization):
    def read_list(self, object_list, bundle):
        # This assumes a ``QuerySet`` from ``ModelResource``.
        return object_list.filter(user=bundle.request.user)

    def read_detail(self, object_list, bundle):
        # Is the requested object owned by the user?
        return bundle.obj.user == bundle.request.user

    def create_list(self, object_list, bundle):
        # Assuming they're auto-assigned to ``user``.
        return object_list

    def create_detail(self, object_list, bundle):
        return bundle.obj.user == bundle.request.user

    def update_list(self, object_list, bundle):
        allowed = []

        # Since they may not all be saved, iterate over them.
        for obj in object_list:
             if obj.user == bundle.request.user:
                allowed.append(obj)

        return allowed

    def update_detail(self, object_list, bundle):
        return bundle.obj.user == bundle.request.user

    def delete_list(self, object_list, bundle):
        # Sorry user, no deletes for you!
        raise Unauthorized("Sorry, no deletes.")

    def delete_detail(self, object_list, bundle):
        raise Unauthorized("Sorry, no deletes.")

如果我将该身份验证应用于UserResource中的api.py,就像我EntryResource那样,它会给我带来错误。如有必要,我可以提供更多细节。

1 个答案:

答案 0 :(得分:1)

您应该在新的CustomUserAuthorization中定义过滤器,检查此实现的详细信息,并查看有关授权的Tastypie文档。

from tastypie.authorization import Authorization
from tastypie.exceptions import Unauthorized


class CustomUserAuthorization(Authorization):
    def read_list(self, object_list, bundle):
        # This you put your filter
        return object_list.filter(id=bundle.request.user.id)

    def read_detail(self, object_list, bundle):
        # This is to check the current user
        return bundle.obj.id == bundle.request.user.id

    def create_list(self, object_list, bundle):
        raise Unauthorized("Sorry, not allowed.")

    def create_detail(self, object_list, bundle):
        raise Unauthorized("Sorry, not allowed.")

    def update_list(self, object_list, bundle):
        raise Unauthorized("Sorry, not allowed.")

    def update_detail(self, object_list, bundle):
        # Only update your details
        return bundle.obj.id== bundle.request.user.id

    def delete_list(self, object_list, bundle):
        raise Unauthorized("Sorry, no deletes.")

    def delete_detail(self, object_list, bundle):
        raise Unauthorized("Sorry, no deletes.")
相关问题
最新问题