如何在Django Rest Framework中使用权限过滤与用户相关的记录 [英] How to filter user related records with permissions in Django Rest Framework

问题描述

我需要知道如何限制对经过身份验证的用户的访问，以便可以对以管理员身份登录的用户记录完整列出用户记录，对于以用户身份登录的用户记录则只能列出，更新并为他们创建记录。

I need to know how to restrict access to Authenticated Users such that User Records can be listed in full for those logged in as Administrator and for those logged in as a User only their records can be listed, updated and created for themslefves.

当前，我正在使用serializers.ModelSerializer，viewsets.ModelViewSet和Permissions.BasePermission，但是看来进展并不很快。

Currently I am using serializers.ModelSerializer, viewsets.ModelViewSet and permissions.BasePermission but don't seem to be getting anywhere very fast.

推荐答案

没有使用魔术棒处理此类权限的现成方法。尽管那里有一些可以处理对象级别权限的库，但是请检查 django-guardian ，因为它与Django rest Framework有着很好的接口。

There is no out of the box way of handling such permissions with a magic wand. Although there are some libraries out there that can handle object level permissions, check django-guardian as it has nice interface with Django rest Framework.

一种解决此问题的好方法是将django-guardian的功能与自定义的 get_queryset（）方法结合使用@ ilse2005的答案。这样可以照顾您的列表和检索，并且可以将更新和删除委托给 django-监护人。

One good way to handle this is combine django-guardian's capabilities with a custom get_queryset() method as described by @ilse2005's answer. This takes care of your list and retrieve and update and deletion can be delegated to django-guardian.

class View(ModelViewSet):
    ...

    def get_queryset(self):
        if self.request.user.is_superuser:
            return FooModel.objects.all()
        return FooModel.objects.filter(owner=self.request.user)

这也可以与DRF中的APIViews和其他基于类的视图一起使用。

This can also work with APIViews and other Class Based Views in DRF.

警告：如果您的API使用者依赖HTTP错误代码来表示此方法会抛出未找到的404而不是HTTP403，这是一个拒绝许可的标准说法。在这种情况下，建议编写一个自定义权限类。例如，以下ip黑名单权限类直接来自文档- http：// www.django-rest-framework.org/api-guide/permissions/

Caution : If your API consumers are relying on HTTP error codes for meaning this approach would throw them 404 not found instead of HTTP403 which is a standard way of saying permission denied. In this case it is advisable to write a custom permissions class. For example the following ip blacklisting permission class is straight from the documentation - http://www.django-rest-framework.org/api-guide/permissions/

from rest_framework import permissions

class BlacklistPermission(permissions.BasePermission):
    """
    Global permission check for blacklisted IPs.
    """

    def has_permission(self, request, view):
        ip_addr = request.META['REMOTE_ADDR']
        blacklisted = Blacklist.objects.filter(ip_addr=ip_addr).exists()
        return not blacklisted

通过设置类变量在视图集中使用此类

Use this class in the viewset by setting up class variable

permission_classes = BlackListPermission

这篇关于如何在Django Rest Framework中使用权限过滤与用户相关的记录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！