无法实施django-rules授权

时间:2017-06-27 05:34:19

标签: django permissions django-rest-framework authorization django-authentication

我是一位正在寻找 django-rules 帮助的新django用户。我正在尝试设置一个基于' 的授权系统。我有一个'文件'模型。我希望只有创建者能够删除它,但只有一组特定的用户才能对其进行编辑。我已经能够全程遵循他们的教程和实施;它适用于shell,但不适用于我的网站。目前没有人可以删除或更新任何内容。

我的观点目前看起来像:

class FileUpdateView(PermissionRequiredMixin, generics.RetrieveUpdateAPIView):
    """
    View updating details of a bill
    """
    queryset = File.objects.all()
    serializer_class = FileSerializer
    permission_required = 'fileupload.change_file'
    raise_exception = True

class FileDeleteView(PermissionRequiredMixin, generics.RetrieveDestroyAPIView):
    """
    View for deleting a bill
    """
    queryset = File.objects.all()
    serializer_class = FileSerializer
    permission_required = 'fileupload.delete_file'
    raise_exception = True

规则本身是:

import rules

@rules.predicate
def is_creator(user, file):
    """Checks if user is file's creator"""
    return file.owner == user

is_editor = rules.is_group_member('ReadAndWrite')

rules.add_perm('fileupload.change_file', is_editor | is_creator)
rules.add_perm('fileupload.delete_file', is_creator)

我知道我已经接近了,我觉得我只是错过了一步。

提前致谢!

2 个答案:

答案 0 :(得分:0)

请检查&为Django-rules添加设置文件身份验证后端。此外,您正在混合Django休息权限与Django规则权限。你需要在视图中检查Django-rest权限中的Django-rules权限。

简而言之。

在这样的rest-framework中定义自定义权限。

from rest_framework import permissions


class RulesPermissions(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return request.user.has_perm('books.edit_book', obj)
在视图集中

class BookView(viewsets.ModelViewSet):
    permission_classes = (RulesPermissions,)

答案 1 :(得分:0)

我一直在为项目使用django REST框架和django-rules,并找到了你问题的答案。

django REST框架使用的API视图与规则'views.PermissionRequiredMixin不兼容,API调度期间调用的授权工作流和方法与django基于类的视图不同。

为django REST框架API视图及其子类尝试以下mixin:

import six
from django.core.exceptions import ImproperlyConfigured


class PermissionRequiredMixin:

    permission_required = None

    def get_permission_object(self):
        object_getter = getattr(self, 'get_object', lambda: None)
        return object_getter()

    def get_permission_required(self):

        if self.permission_required is None:
            raise ImproperlyConfigured(
                '{0} is missing the permission_required attribute. Define '
                '{0}.permission_required, or override '
                '{0}.get_permission_required().'
                .format(self.__class__.__name__)
            )

        if isinstance(self.permission_required, six.string_types):
            perms = (self.permission_required, )
        else:
            perms = self.permission_required

        return perms

    def check_permissions(self, request):
        obj = self.get_permission_object()
        user = request.user
        missing_permissions = [perm for perm in self.get_permission_required()
                               if not user.has_perm(perm, obj)]
        if any(missing_permissions):
            self.permission_denied(
                request,
message=('MISSING: {}'.format(', '.join(missing_permissions))))

使用此mixin,您不必为每个规则权限编写REST框架权限。

相关问题
最新问题