我正在使用 Django rest 框架构建具有 CRUD 功能的身份验证系统。我被困在如何创建自定义权限以不让登录用户看到其他用户的数据。我在下面突出显示了 permissions.py、models.py 和 views.py 文件,以帮助我解决此问题。
非常感谢您的帮助。
setting.py:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
],
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.TokenAuthentication',
],
}
permission.py:
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.owner == request.user
views.py:
from rest_framework import generics, permissions
from stations.models import Stations
from .serializers import StationSerializer
class StationList(generics.ListCreateAPIView):
queryset = Stations.objects.all()
serializer_class = StationSerializer
class StationDetail(generics.RetrieveUpdateDestroyAPIView):
queryset = Stations.objects.all()
serializer_class = StationSerializer
models.py:
from django.db import models
from django.contrib.auth.models import User
class Stations(models.Model):
owner = models.ForeignKey(User, on_delete = models.CASCADE)
name = models.CharField(max_length = 20, unique = True)
location = models.CharField(max_length = 70)
capacity = models.IntegerField()
area = models.IntegerField()
created_at = models.DateTimeField(auto_now_add = True)
updated_at = models.DateTimeField(auto_now = True)
def __str__(self):
return self.name
答案 0 :(得分:0)
对于 StationList:
您需要使用过滤器进行对象级过滤。
class StationList(generics.ListCreateAPIView):
serializer_class = StationSerializer
def get_queryset(self):
user = self.request.user
return Stations.objects.filter(owner=user)
对于 StationDetail:
您需要在视图中包含 permission_classes
,如下所示:
class StationDetail(generics.RetrieveUpdateDestroyAPIView):
permission_classes = [IsAuthenticated&IsOwnerOrReadOnly]
queryset = Stations.objects.all()
serializer_class = StationSerializer