我目前正在开发一个 DRF 项目,其中管理员用户、教师用户和所有者用户应该能够访问对象详细信息 View 。基本上所有用户类型,除了那些不是对象所有者、教师或管理员用户的用户。我能够为每个权限实现单独的权限,但是当我需要在 View 上组合这些权限时,我遇到了障碍,因为在对象级别权限之前检查用户级别权限。因此,我不能使用 bool 操作数来组合它们,我必须为我的 View 编写这些丑陋的权限类。
我的问题是:
如何以更清晰的方式在详细信息 View 上实现这些权限,或者是否有更清晰的方式来获取结果?
正如您将看到的,我违反了 DRY,因为我有 IsAdminOrOwner 和 IsAdminOrTeacherOrOwner 烫发。您还会注意到,在我看来,我覆盖了 get_permissions() 以便为各个请求方法提供适当的权限类。欢迎对此和其他实现提出任何评论,我想要批评,以便我可以改进它。
以下是权限.py:
from rest_framework import permissions
from rest_framework.permissions import IsAdminUser
class IsOwner(permissions.BasePermission):
def has_permission(self, request, view):
return True
def has_object_permission(self, request, view, obj):
return request.user == obj
class IsTeacher(permissions.BasePermission):
def has_permission(self, request, view):
return request.user.groups.filter(
name='teacher_group').exists()
class IsAdminOrOwner(permissions.BasePermission):
def has_object_permission(self, *args):
is_owner = IsOwner().has_object_permission(*args)
#convert tuple to list
new_args = list(args)
#remove object for non-object permission args
new_args.pop()
is_admin = IsAdminUser().has_permission(*new_args)
return is_owner or is_admin
class IsAdminOrTeacherOrOwner(permissions.BasePermission):
def has_object_permission(self, *args):
is_owner = IsOwner().has_object_permission(*args)
#convert tuple to list
new_args = list(args)
#remove object for non-object permission args
new_args.pop()
is_admin = IsAdminUser().has_permission(*new_args)
is_teacher = IsTeacher().has_permission(*new_args)
return is_admin or is_teacher or is_owner
这是我的观点:
class UserRetrieveUpdateView(APIView):
serializer_class = UserSerializer
def get_permissions(self):
#the = is essential, because with each view
#it resets the permission classes
#if we did not implement it, the permissions
#would have added up incorrectly
self.permission_classes = [IsAuthenticated]
if self.request.method == 'GET':
self.permission_classes.append(
IsAdminOrTeacherOrOwner)
elif self.request.method == 'PUT':
self.permission_classes.append(IsOwner)
return super().get_permissions()
def get_object(self, pk):
try:
user = User.objects.get(pk=pk)
self.check_object_permissions(self.request, user)
return user
except User.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
user = self.get_object(pk)
serializer = self.serializer_class(user)
return Response(serializer.data, status.HTTP_200_OK)
def put(self, request, pk, format=None):
user = self.get_object(pk)
#we use partial to update only certain values
serializer = self.serializer_class(user,
data=request.data, partial=True)
if serializer.is_valid():
serializer.save()
return Response(serializer.data,
status.HTTP_200_OK)
return Response(status=status.HTTP_400_BAD_REQUEST)
最佳答案
Permissions in DRF可以使用按位 OR 运算符进行组合。例如,您可以这样做:
permission_classes = (IsAdmin | IsOwner | IsTeacher)
这样,您就不必定义单独的类来组合它们。
关于python - 如何在 DRF 中组合/混合对象级别和用户级别权限?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55766217/