Rest Framework序列化程序,禁止用户更改其他密码

时间:2018-08-30 22:36:21

标签: python django python-3.x django-rest-framework django-views

我正在创建一个简单的Web应用程序,但找不到阻止其他用户更改密码的任何方法。这是最少的代码:

# serializers.py
from rest_framework import serializers

class UserSerializer(serializers.ModelSerializer):
    def create(self, validated_data):
        # have to use custom create method because default method calls `User.objects.create()` which doesn't take care of password hashing and other important stuff 
        return User.objects.create_user(**validated_data)

    class Meta:
        model = User
        fields = ('id', 'username', 'email', 'password')
        read_only_fields = ('id', 'username')

        # password is set to write_only because I don't want to send it to anybode (even though it's just a hash)
        extra_kwargs = {'password': {'write_only': True}}

# views.py
from .serializers import UserSerializer
from rest_framework import generics
from django.contrib.auth.models import User

class UserDetails(generics.RetrieveUpdateAPIView):

    queryset = User.objects.all()
    serializer_class = UserSerializer

我自己可以使用APIView来解决这个问题。

# views.py
from .serializers import UserSerializer
from rest_framework.views import APIView
from django.contrib.auth.models import User

class UserDetails(APIView):
    def put(self, request, format=None):

        serialized = UserSerializer(data=request.DATA)
        if not serialized.is_valid():
            return # probably HTTP 400 Error code
        if request.user.id != serialized.data['id']:
            # this if is what I'm trying to achieve
            return # probably HTTP 403 Error code
        user = User.objects.update(
            id=serialized.data['id'],
            email=serialized.data['email']
        )
        if 'password' in request.DATA:
            user.set_password(request.DATA['password'])
        return # probably HTTP 200 Error code

不幸的是,这将导致rest_framework.schemas.get_schema_view生成的方案不完整。我使用CoreAPI进行通信(它无法与方案中未描述的内容进行通信),所以我无法做到这一点。我没有在官方文档中找到任何东西。 这似乎是一个太基本的问题,我错过了一个超级简单的解决方案。感谢您提出的建议或建议。

PS:我正在将django2.1与python3.6配合使用

编辑:osobacho的解决方案很干净,并且像魅力一样工作。无论如何,我还需要仅允许对该待办事项列表的创建者进行修改(比方说TODO-list)。认为密码问题的解决方案将适用,但并非如此。

1 个答案:

答案 0 :(得分:3)

您可以在请求中吸引用户。这样,每个用户只能更改自己的密码。

class UserDetails(generics.RetrieveUpdateAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

    def get_object(self):
        return self.request.user

关于第二个问题,请看django_restframework http://www.django-rest-framework.org/api-guide/permissions/权限,这里是一个示例:

class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `owner` attribute.
"""

def has_object_permission(self, request, view, obj):
    # Read permissions are allowed to any request,
    # so we'll always allow GET, HEAD or OPTIONS requests.
    if request.method in permissions.SAFE_METHODS:
        return True

    # Instance must have an attribute named `owner`.
    return obj.owner == request.user

然后您需要添加到视图:

 permission_classes = (IsOwnerOrReadOnly,)

希望有帮助

相关问题
最新问题