我创建了一个待办事项列表API,其中包含用户个人资料。每个用户配置文件可以具有待办事项列表。现在一切正常,但是这里的问题是一个用户可以查看其他用户的数据,但是我想限制一个用户不要在请求URL时看到其他用户的待办事项列表。
class TodoListItem(models.Model):
"""Todo List"""
user_profile = models.ForeignKey('UserProfile', on_delete=models.CASCADE)
todo_item = models.CharField(max_length=150)
description = models.CharField(max_length=255)
created_on = models.DateTimeField(auto_now_add=True)
reminder_date = models.DateTimeField()
def __str__(self):
"""Return the model as the string"""
return self.todo_item
class TodoItemViewSet(viewsets.ModelViewSet):
"""Handles creating, reading, and updating profile Todo Items."""
authentication_classes = (TokenAuthentication,)
serializer_class = serializers.TodoItemSerializer
queryset = models.TodoListItem.objects.all()
permission_classes = (permissions.UpdateTodoItem, IsAuthenticated)
def perform_create(self, serializer):
"""Sets the user profile to the logged in User."""
serializer.save(user_profile=self.request.user)
class TodoItemSerializer(serializers.ModelSerializer):
"""Serializer for Todo Items."""
class Meta:
model = models.TodoListItem
fields = ('id', 'user_profile', 'todo_item', 'description', 'created_on', 'reminder_date')
extra_kwargs = {'user_profile': {'read_only': True}}
class UpdateTodoItem(permissions.BasePermission):
"""Allow users to update their own status."""
def has_object_permission(self, request, view, obj):
"""Check user is trying to update their own status."""
if request.method in permissions.SAFE_METHODS:
return True
return obj.user_profile.id == request.user.id
[
{
"id": 1,
"user_profile": 1,
"todo_item": "Todo Item 1",
"description": "Sample todo item 1",
"created_on": "2019-06-06T04:48:59.401451Z",
"reminder_date": "2019-06-02T04:48:57Z"
},
{
"id": 2,
"user_profile": 2,
"todo_item": "Todo Item 2",
"description": "Sample todo item 3",
"created_on": "2019-06-06T04:50:08.734365Z",
"reminder_date": "2019-06-03T04:50:07Z"
},
{
"id": 3,
"user_profile": 1,
"todo_item": "Todo Item 2",
"description": "",
"created_on": "2019-06-06T04:54:47.919602Z",
"reminder_date": "2019-06-07T02:00:00Z"
},
{
"id": 4,
"user_profile": 1,
"todo_item": "Todo Item 4",
"description": "Sample todo item 4",
"created_on": "2019-06-06T05:00:08.004224Z",
"reminder_date": "2019-06-07T10:01:00Z"
}
]
[
{
"id": 1,
"user_profile": 1,
"todo_item": "Todo Item 1",
"description": "Sample todo item 1",
"created_on": "2019-06-06T04:48:59.401451Z",
"reminder_date": "2019-06-02T04:48:57Z"
},
{
"id": 3,
"user_profile": 1,
"todo_item": "Todo Item 2",
"description": "",
"created_on": "2019-06-06T04:54:47.919602Z",
"reminder_date": "2019-06-07T02:00:00Z"
},
{
"id": 4,
"user_profile": 1,
"todo_item": "Todo Item 4",
"description": "Sample todo item 4",
"created_on": "2019-06-06T05:00:08.004224Z",
"reminder_date": "2019-06-07T10:01:00Z"
},
]
我只需要看到user_profile 1的todo_item,因为user_profile:1是登录的用户。
答案 0 :(得分:0)
您可以尝试一下。返回特定用户的记录
class TodoItemViewSet(viewsets.ModelViewSet):
"""Handles creating, reading, and updating profile Todo Items."""
authentication_classes = (TokenAuthentication,)
serializer_class = serializers.TodoItemSerializer
queryset = models.TodoListItem.objects.all()
permission_classes = (permissions.UpdateTodoItem, IsAuthenticated)
def perform_create(self, serializer):
"""Sets the user profile to the logged in User."""
serializer.save(user_profile=self.request.user)
def get_queryset(self):
return self.queryset.filter(user_profile=self.request.user)
希望有帮助
推荐this