在Django Rest框架中结合2个自定义权限 [英] Combining 2 custom permissions in django rest framework

问题描述

我有一个名为 Showcase 的模型，供用户用来展示项目，还有一个协作模型，用户可以在其中添加协作者。我正在尝试实现一种情况，展示柜中的管理员和协作中的用户可以删除该协作。

I have a model called Showcase that users use to showcase projects, and also a collaboration model where users can add collaborators to the showcase. I am trying to implement a case where administrators in the showcase and the user in a collaboration can delete that collaboration.

为更好地解释，在展示模型中，列出了管理展示的管理员列表。他们还可以将协作者（通过 Collaborator 模型）添加到展示柜中。 协作者有一个用户字段，该用户字段是向展示柜贡献的用户。

To explain better, in a showcase model, there is a list of administrators that manage the showcase. they also can add collaborators (through the Collaborator model) to a showcase. The Collaborator has a user field which is the user contributed to the showcase.

我希望在协作者拥有之后添加后，该用户可以删除自己（如果他不想成为展示柜的一部分），或者管理员可以删除该协作者（在这种情况下，如果添加了错误的用户并希望从该展示柜中删除他）

I want that after a collaborator has been added, that user can either delete himself (in a case he doesnt want to be part of the showcase) or the administrators can delete that collaborator (in a case thay added a wrong user and want to delete him from that showcase)

models.py

models.py

class Showcase(models.Model):
    title = models.CharField(max_length=50)
    description = models.TextField(null=True)
    skill_type = models.ForeignKey(Skill, on_delete=models.CASCADE)
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.DO_NOTHING, related_name="Showcases")
    content = models.TextField(null=True)
    created_on = models.DateTimeField(auto_now_add=True)
    updated_on = models.DateTimeField(auto_now=True)
    voters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="upvotes")
    slug = models.SlugField(max_length=255, unique=True)
    administrator = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="administrators", blank=True)


class Collaborator(models.Model):
    post = models.ForeignKey(Showcase, on_delete=models.CASCADE, related_name="collaborated_showcases")
    user = models.ForeignKey(settings.AUTH_USER_MODEL, 
                            on_delete=models.CASCADE, related_name="collaborators")
    skill = models.ForeignKey(Skill, on_delete=models.CASCADE, null=True, related_name="creative_type")
    role = models.TextField(null=True)
    created_on = models.DateTimeField(auto_now_add=True)
    updated_on = models.DateTimeField(auto_now=True)

permission.py

permission.py

class IsUser(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return False
        return obj.user == request.user


class IsAdmin(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return False
        return request.user.administrators.filter(pk=obj.pk).exists()

view.py

class CollaboratorDeleteView(APIView):
    '''
    Allow Administrators to delete a collaborator to a showcase 
    or allow the collaborator user to be able to delete himself 
    '''
    permission_classes = [IsAdmin]

    def delete(self, request, pk):
        collaborator = get_object_or_404(Collaborator, pk=pk)
        showcase = collaborator.post

        try:
            self.check_object_permissions(request, showcase)
            collaborator.delete()
            return Response(status=status.HTTP_204_NO_CONTENT)
        except APIException:
            return Response(status=status.HTTP_403_FORBIDDEN)

URLs

path("collaborator/<int:pk>/delete/", qv.CollaboratorDeleteView.as_view(), name="collaborator-delete-view"),

现在我已经能够实现管理员可以删除该协作者的功能，但是我该如何在 Collaborator 模型中为用户添加另一个权限，以便能够通过该方式删除自己作为协作者的身份

Right now I have been able to implement that administrators can remove the collaborator, but how can I add another permission for the user in the Collaborator model to be able to delete himself as a collaborator through that same view?

推荐答案

实际上，两种权限都可以合并为一个。例如，更新这样的权限：

Actually both permissions can be combined into single one. For example updating the permission like this:

class CanDeleteUser(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return False
        return obj.user == request.user or ob.post.administrator.filter(pk=request.user.pk).exists()

这里我正在检查 request.user 是 obj.user 或检查展示柜附有 obj 变量的对象。

Here I am checking either the request.user is obj.user or checking against administrators of the showcase object attached with obj variable.

现在我只去检查合作者的权限。

Now I am only going to check permission for collaborator.

class CollaboratorDeleteView(APIView):
    '''
    Allow Administrators to delete a collaborator to a showcase 
    or allow the collaborator user to be able to delete himself 
    '''
    permission_classes = [CanDeleteUser]

    def delete(self, request, pk):
        collaborator = get_object_or_404(Collaborator, pk=pk)

        try:
            self.check_object_permissions(request, collaborator)

这篇关于在Django Rest框架中结合2个自定义权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！