Django Rest Framework自定义权限验证

时间:2018-10-20 00:25:38

标签: python django django-rest-framework

我有一个自定义ViewSet,可以对数据库进行复合查询和更新。我想建立不同级别的权限,因此我可以授权一些用户在视图上发送 GET 方法,而其他一些用户则可以请求 POST PUT 方法。

In the documentation I have found,所有权限都被认为是类视图的全局权限,因此我不知道如何将某些权限应用于list方法,而将不同的权限应用于create和ViewSet的update方法。

这是ViewSet的主要代码:

class ReservationCompositionViewSet(viewsets.ViewSet):

    def list(self, request, pk):
            reservation = models.Reservation.objects.filter(booking=pk).order_by('timestamp').last()
            if reservation == None:
                raise CustomValidation(_('There is not such Reservation: {}'.format(pk)), 'booking', status.HTTP_400_BAD_REQUEST)

            result_set = serializers.ReservationSerializer(reservation).data

            result_set['pax'] = self.get_reservation_people(reservation)
            result_set['itinerary'] = self.get_reservation_composition(reservation)

            return Response(result_set)
    ...

    def create(self, request):
        reservation_data = request.data
        user = request.user

        reservation = models.Reservation()
        reservation.booking = reservation_data['booking']
        reservation.agency = models.Agency.objects.get(id=reservation_data['agency'])
        reservation.comment = reservation_data.pop('comment', None)
        reservation.status = reservation_data.pop('status', 'UNCONFIRMED')
        if reservation.status == None:
            reservation.status = 'UNCONFIRMED'
        reservation.arrival_date = reservation_data['arrival_date']
        reservation.departure_date = reservation_data['departure_date']
        reservation.confirmation = reservation_data.pop('confirmation', None)
        reservation.is_invoiced = reservation_data['is_invoiced']
        reservation.user = user

        reservation.save()

        reservation_to_return = serializers.ReservationSerializer(reservation).data
        reservation_to_return['pax'] = self.save_reservation_people(reservation, reservation_data.pop('pax'))
        reservation_to_return['itinerary'] = self.save_reservation_components(reservation, reservation_data.pop('itinerary'))

        return Response(reservation_to_return)

    def update(self, request, pk):
        reservation_data = request.data
        user = request.user

        reservation = self.save_reservation(reservation_data, user, pk)

        reservation_to_return = serializers.ReservationSerializer(reservation).data
        reservation_to_return['pax'] = self.save_reservation_people(reservation, reservation_data.pop('pax'))
        reservation_to_return['itinerary'] = self.save_reservation_components(reservation, reservation_data.pop('itinerary'))

        return Response(reservation_to_return)
        ...

我想在调用方法can_view时验证用户是否具有list()权限,而在调用can_editcreate()方法时具有update()权限。

1 个答案:

答案 0 :(得分:2)

路由器的视图集的SELECT COUNT(gerateID) into @limitcount FROM Gerate PREPARE STMT FROM 'SELECT Umweltdaten.id,Umweltdaten.Temperatur,Umweltdaten.DatumZeit, Umweltdaten.gerateID FROM Umweltdaten LIMIT ?'; EXECUTE STMT USING @limitcount ; list()create()方法与路由器相应的HTTP方法mapped一样。

因此,您可以创建一个自定义权限,以检查HTTP方法的类型以确定正在执行的操作。

例如:

update()

并在视图集上指定它:

from rest_framework import permissions

class ReservationCompositionPermission(permissions.BasePermission):

    def has_permission(self, request, view):
        if request.method == 'GET':
            return request.user.has_perm('can_view')
        elif request.method in ('POST', 'PUT', 'PATCH'):
            return request.user.has_perm('can_edit')
        return False
相关问题
最新问题