Django Rest Framework对POST的对象级权限

时间:2015-04-25 15:44:35

标签: django django-rest-framework

我想确保request.user只能发出一个POST请求来创建一个论坛主题,在这个主题中他们是作者。使用PUT和DELETE我可以通过使用has_object_permission来实现这一点,但是使用POST我无法做到这一点,我猜是因为尚未创建对象。

class TopicPermission(IsAuthenticatedOrReadOnly):
    """
    Any user should be able to read topics but only authenticated 
    users should be able to create new topics. An owner or moderator 
    should be able to update a discussion or delete.
    """
    def has_object_permission(self, request, view, obj):
        if request.method in SAFE_METHODS:
            return True

        # Instance must have an attribute named `author` or moderator
        return obj.author == request.user or request.user.forum_moderator

我如何在POST请求中验证request.user == obj.author

1 个答案:

答案 0 :(得分:4)

我最终在视图集中进行验证而不是序列化程序:

class TopicViewSet(viewsets.ModelViewSet):
    permission_classes = (TopicPermission, )
    queryset = Topic.objects.all()
    serializer_class = TopicSerializer

    def create(self, request, *args, **kwargs):
        """
        verify that the POST has the request user as the obj.author
        """
        if request.data["author"] == str(request.user.id):
            serializer = self.get_serializer(data=request.data)
            serializer.is_valid(raise_exception=True)
            self.perform_create(serializer)
            headers = self.get_success_headers(serializer.data)
            return Response(serializer.data, status=201, headers=headers)
        else:
            return Response(status=403)
相关问题
最新问题