Question

您好我正在关注使用DjangoObjectPermissionsFilter的this示例。

我想创建class SampleModelPermissions(permissions.DjangoObjectPermissions)，以便在我的“自我记录的”DRF API中满足以下描述：

这是我的代码：

在models.py中：

class Sample(models.Model):
    created = models.DateTimeField(default=datetime.datetime.utcnow, blank=True, null=True)
    last_modified = models.DateTimeField(default=datetime.datetime.utcnow, blank=True, null=True)
    owner = models.ForeignKey(User, blank=True, null=True, related_name='sample_owner')
    text = models.TextField(default='', blank=True, null=True)

    class Meta:
        permissions = (
            ('view_sample', "can view sample"),
        )

    def __unicode__(self):
        return self.text

    def __str__(self):
        return self.text

在views.py中

：

class SampleViewSet(viewsets.ModelViewSet):
    '''
    * Model Description: Sample is a sample model.
    * CRUD on Sample model
    * C - CREATE - POST /sample/ - allowed as long as owner is the user creating the object 
    * R - READ - GET /sample/ (list) - user can see objects it owns
    * R - READ - GET /sample/[id]/ (detail) - user can see detail page of objects it owns
    * U - UPDATE - PATCH /sample/[id]/ - allowed for owner
    * D - DELETE - DELETE /sample/[id]/ - allowed for owner
    * Note in the case of a nested model A where a field f points to an instance of another model B, you can set f's value to an instance b of B by PATCHing or POSTing with f_id = [the id of b]. Yes, whenever f points to a foreign model, f is read only and f_id is write only.
    '''
    queryset = Sample.objects.all()
    filter_backends = (DjangoFilterBackend, SearchFilter, OrderingFilter, DjangoObjectPermissionsFilter,)  
    permission_classes = (SampleModelPermissions,)
    filter_fields = '__all__'
    serializer_class = SampleSerializer

in permisions.py

class SampleModelPermissions(permissions.DjangoObjectPermissions):

    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
        'HEAD': ['%(app_label)s.view_%(model_name)s'],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

    logger.info('in SampleModelPermissions')

    def has_object_permission(self, request, view, obj):
        logger.info('in SampleModelPermissions has_object_permission')
        print 'permissions.SAFE_METHODS: ', permissions.SAFE_METHODS
        if request.method in permissions.SAFE_METHODS:
            return request.user == obj.owner or True # need to modify so can see own stuff
        elif request.method == 'POST':
            print 'checking if user has perm to create obj'
            return True # request.user == obj.owner
        elif request.method == 'PATCH': 
            return request.user == obj.owner
        elif request.method == 'DELETE':
            return request.user == obj.owner
        return False

但我在POSTMAN中得到以下内容：

关于我应该做些什么的提示，以便我的API权限能够像我在自我文档中描述的那样工作？

Answer 1

管理权限和实现结果是否有不同的方法，如文档中所述。

在大多数情况下，您必须在创建对象后分配权限。例如，您可以使用信号来分配权限。

示例DjangoObjectPermission：

class SampleModelPermissions(permissions.DjangoObjectPermissions):

    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
        'HEAD': ['%(app_label)s.view_%(model_name)s'],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

示例信号：

from django.db.models.signals import post_save
from django.dispatch import receiver
from .models import Sample

@receiver(post_save, sender=Sample, dispatch_uid="sample_assign_permission")
def permission_assign(sender, instance, created, **kwargs):
    if created:
        assign_perm('view_sample' self.request.user, instance)
        assign_perm('change_sample', self.request.user, instance)
        assign_perm('add_sample', self.request.user, instance)
        assign_perm('delete_sample', self.request.user, instance)

Answer 2

解决方案是识别has_permission涵盖GET列表和POST，has_object_permissions涵盖GET详细信息，PATCH和{ {1}}。我不得不相应地将我的代码拆分为这两个函数（请记住仍然在解决代码中的其他问题，但是这个问题中涉及的具体问题已经涵盖了）：

DELETE

如何自定义DjangoObjectPermissions？

2 个答案: