我是Django和Tastypie的新手,并尝试按照文档here计算API授权的工作原理。
据我所知,它不起作用。当我向一个不是由请求用户拥有的对象发出POST请求时,它返回true,当它不应该时(我没有尝试DELETE或PUT,但我想它是相同的)。
要么我实施了错误(可能),要么有错误。所以问题是:我如何使用下面的代码示例实现对象授权?例如,我只希望 Stock 的所有者能够在注释或注意上发布< EM>库存
这是book/models.py
from django.db import models
from django.utils import timezone
from django.contrib.auth.models import User
import uuid
class Stock(models.Model):
'''
Model representing the stock info.
'''
user = models.ForeignKey(User)
book_code = models.CharField(max_length=14, null=True, blank=True)
def __str__(self):
return self.book_code
class Note(models.Model):
'''
Model representing the stock note.
'''
user = models.ForeignKey(User)
note = models.TextField(max_length=560)
stock = models.ForeignKey(Stock)
date_note_created = models.DateTimeField(default=timezone.now)
def __str__(self):
return self.note
class Comment(models.Model):
'''
Model representing a Comment for each stock.
'''
id = models.UUIDField(primary_key=True, default=uuid.uuid4)
stock = models.ForeignKey(Stock, null=True)
text = models.TextField()
comment_author = models.ForeignKey(User, null=True, blank=True)
date = models.DateTimeField(default=timezone.now)
def __str__(self):
return '%s' % (self.id)
这是api/api.py:
from tastypie.resources import ModelResource
from book.models import Stock, Note, Comment
from tastypie.authentication import ApiKeyAuthentication
from tastypie.authorization import Authorization
from tastypie import fields
class StockAuthorization(Authorization):
def read_list(self, object_list, bundle):
return object_list.filter(user=bundle.request.user)
class NoteAuthorization(Authorization):
def read_list(self, object_list, bundle):
return object_list.filter(user=bundle.request.user)
def create_detail(self, object_list, bundle):
return obj.thought_author == bundle.request.user
class CommentAuthorization(Authorization):
def read_list(self, object_list, bundle):
return object_list.filter(user=bundle.request.user)
def create_detail(self, object_list, bundle):
return obj.thought_author == bundle.request.user
class StockResource(ModelResource):
class Meta:
queryset = Stock.objects.all()
resource_name = 'stock'
allowed_methods = ['get', 'post', 'put', 'delete']
authorization = StockAuthorization()
authentication = ApiKeyAuthentication()
#ensure object is associated with user who makes a POST request
def hydrate(self, bundle):
bundle.obj.user = bundle.request.user
return bundle
class NoteResource(ModelResource):
stock = fields.ForeignKey(StockResource, attribute='stock', null=True, full=True)
class Meta:
queryset = Note.objects.all()
fields = ['user', 'note', 'stock', 'date_note_created']
resource_name = 'note'
allowed_methods = ['get', 'post', 'put', 'delete']
authorization = NoteAuthorization()
authentication = ApiKeyAuthentication()
def hydrate(self, bundle):
bundle.obj.user = bundle.request.user
return bundle
class CommentResource(ModelResource):
stock = fields.ForeignKey(StockResource, attribute='stock', null=True, full=True)
class Meta:
queryset = Comment.objects.all()
fields = ['text', 'date']
resource_name = 'comment'
allowed_methods = ['get', 'post']
authorization = CommentAuthorization()
authentication = ApiKeyAuthentication()
def hydrate(self, bundle):
bundle.obj.comment_author = bundle.request.user
return bundle