如何使用tastypie中的自定义用户类型限制GET,POST访问资源

时间:2016-07-13 11:07:32

标签: python django tastypie

我已经扩展了Django默认用户'用于添加新用户类型字段的模型。用户类型类别为用户管理员查看器。 我想使用tastypie为此实现RESTapi,并根据用户类型授予访问该API的权限。 例如,管理员用户可以完全访问此API,用户可以查看所有字段,但只能更新自己的帐户,查看者无​​法访问此API。

api.py 

<div class="col-xs-12 col-sm-2 col-md-2">
    <h5 class="control-label subaccount-view" data-bind="text: ProfileViewModel.userProfile().GATarget"></h5>
    <input type="text" id="txtGATarget" class="subaccount-edit txt-gatarget txt-contolrs cls-validate-txt" style="display:none">
    <span class="text-danger" id="gaTargetVal" style="display:none">@T("subaccount-emptygatarget")</span>
</div>
<div class="col-xs-12 col-sm-3 col-md-2 cls-addinfo-history">
    <div class="input-dp-wrap">
    <input type="text" class="month_year" id="effectiveDateFrom_GA" disabled="disabled" />
    <span class="text-danger" id="ga_DateVal" style="display:none">@T("subaccount-month-invalidselect")</span>
    </div>
</div>

处理此问题的最佳方式是什么?

1 个答案:

答案 0 :(得分:0)

首先,编写自己的身份验证类。在此课程中,检查用户是否查看器。如果是,请返回False。

class MyAuthentication(BasicAuthentication):
    def is_authenticated(self, request, **kwargs):
        is_authenticated = super(MyAuthentication, self).is_authenticated(request, **kwargs)
        if not is_authenticated:
            return False
        return request.user.user_type_category != 'viewer'

其次,编写自己的授权类。在此类中,覆盖函数[create|update|delete]_[list|detail]和创建/删除功能,检查用户是否用户。如果是,则引发异常(详细信息)或返回[](在列表中)。在更新中检查用户是否更新自己。如果不是,请引发异常或返回[]

class MyAuthorization(DjangoAuthorization):
    def create_detail(self, object_list, bundle):
        super(MyAuthorization, self).create_detail(object_list, bundle)
        if bundle.request.user.user_type_category != 'admin':
            raise Unauthorized("You are not allowed to create that resource.")
        return True

    def create_list(self, object_list, bundle):
        if bundle.request.user.user_type_category != 'admin':
            return []
        return super(MyAuthorization, self).create_list(object_list, bundle)

    def delete_detail(self, object_list, bundle):
        super(MyAuthorization, self).delete_detail(object_list, bundle)
        if bundle.request.user.user_type_category != 'admin':
            raise Unauthorized("You are not allowed to delete that resource.")
        return True

    def delete_list(self, object_list, bundle):
        if bundle.request.user.user_type_category != 'admin':
            return []
        return super(MyAuthorization, self).delete_list(object_list, bundle)

    def update_detail(self, object_list, bundle):
        super(MyAuthorization, self).delete_detail(object_list, bundle)
        if bundle.request.user != bundle.obj:
            raise Unauthorized("You are not allowed to update that resource.")
        return True

    def update_list(self, object_list, bundle):
        object_list = super(MyAuthorization, self).update_list(object_list, bundle)
        if object_list.count() == object_list.filter(pk=bundle.obj.pk).count():
            return object_list
        return []
相关问题
最新问题