在Django Rest框架中结合2个自定义权限 [英] Combining 2 custom permissions in django rest framework
问题描述
我有一个名为 Showcase
的模型,供用户用来展示项目,还有一个协作模型,用户可以在其中添加协作者。我正在尝试实现一种情况,展示柜中的管理员和协作中的用户可以删除该协作。
I have a model called Showcase
that users use to showcase projects, and also a collaboration model where users can add collaborators to the showcase. I am trying to implement a case where administrators in the showcase and the user in a collaboration can delete that collaboration.
为更好地解释,在展示模型中,列出了管理展示的管理员列表。他们还可以将协作者(通过 Collaborator
模型)添加到展示柜中。 协作者
有一个用户字段,该用户字段是向展示柜贡献的用户。
To explain better, in a showcase model, there is a list of administrators that manage the showcase. they also can add collaborators (through the Collaborator
model) to a showcase. The Collaborator
has a user field which is the user contributed to the showcase.
我希望在协作者拥有之后添加后,该用户可以删除自己(如果他不想成为展示柜的一部分),或者管理员可以删除该协作者(在这种情况下,如果添加了错误的用户并希望从该展示柜中删除他)
I want that after a collaborator has been added, that user can either delete himself (in a case he doesnt want to be part of the showcase) or the administrators can delete that collaborator (in a case thay added a wrong user and want to delete him from that showcase)
models.py
models.py
class Showcase(models.Model):
title = models.CharField(max_length=50)
description = models.TextField(null=True)
skill_type = models.ForeignKey(Skill, on_delete=models.CASCADE)
user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.DO_NOTHING, related_name="Showcases")
content = models.TextField(null=True)
created_on = models.DateTimeField(auto_now_add=True)
updated_on = models.DateTimeField(auto_now=True)
voters = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="upvotes")
slug = models.SlugField(max_length=255, unique=True)
administrator = models.ManyToManyField(settings.AUTH_USER_MODEL, related_name="administrators", blank=True)
class Collaborator(models.Model):
post = models.ForeignKey(Showcase, on_delete=models.CASCADE, related_name="collaborated_showcases")
user = models.ForeignKey(settings.AUTH_USER_MODEL,
on_delete=models.CASCADE, related_name="collaborators")
skill = models.ForeignKey(Skill, on_delete=models.CASCADE, null=True, related_name="creative_type")
role = models.TextField(null=True)
created_on = models.DateTimeField(auto_now_add=True)
updated_on = models.DateTimeField(auto_now=True)
permission.py
permission.py
class IsUser(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return False
return obj.user == request.user
class IsAdmin(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return False
return request.user.administrators.filter(pk=obj.pk).exists()
view.py
class CollaboratorDeleteView(APIView):
'''
Allow Administrators to delete a collaborator to a showcase
or allow the collaborator user to be able to delete himself
'''
permission_classes = [IsAdmin]
def delete(self, request, pk):
collaborator = get_object_or_404(Collaborator, pk=pk)
showcase = collaborator.post
try:
self.check_object_permissions(request, showcase)
collaborator.delete()
return Response(status=status.HTTP_204_NO_CONTENT)
except APIException:
return Response(status=status.HTTP_403_FORBIDDEN)
URLs
path("collaborator/<int:pk>/delete/", qv.CollaboratorDeleteView.as_view(), name="collaborator-delete-view"),
现在我已经能够实现管理员可以删除该协作者的功能,但是我该如何在 Collaborator
模型中为用户添加另一个权限,以便能够通过该方式删除自己作为协作者的身份
Right now I have been able to implement that administrators can remove the collaborator, but how can I add another permission for the user in the Collaborator
model to be able to delete himself as a collaborator through that same view?
推荐答案
实际上,两种权限都可以合并为一个。例如,更新这样的权限:
Actually both permissions can be combined into single one. For example updating the permission like this:
class CanDeleteUser(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return False
return obj.user == request.user or ob.post.administrator.filter(pk=request.user.pk).exists()
这里我正在检查 request.user
是 obj.user
或检查展示柜
附有 obj
变量的对象。
Here I am checking either the request.user
is obj.user
or checking against administrators of the showcase
object attached with obj
variable.
现在我只去检查合作者
的权限。
Now I am only going to check permission for collaborator
.
class CollaboratorDeleteView(APIView):
'''
Allow Administrators to delete a collaborator to a showcase
or allow the collaborator user to be able to delete himself
'''
permission_classes = [CanDeleteUser]
def delete(self, request, pk):
collaborator = get_object_or_404(Collaborator, pk=pk)
try:
self.check_object_permissions(request, collaborator)
这篇关于在Django Rest框架中结合2个自定义权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!