Django Rest Framework中仅限员工的权限 [英] Staff-only permissions in Django Rest Framework
问题描述
我正在尝试创建仅作为职员的Django Rest Framework ModelViewSet.当我尝试使用标准的Django装饰器 @staff_member_required 时,出现错误,使我相信装饰器不能与Django Rest Framework一起使用.
I am trying to create Django Rest Framework ModelViewSets that are staff only. When i try to use the standard Django decorator @staff_member_required I get errors which make me believe the decorators won't work with Django Rest Framework.
因此,我正在尝试编写自己的ModelViewSet mixin.除了我无法使用的更新方法外,它基本上可以按我的意愿工作.
So I am trying to write my own ModelViewSet mixin. It mostly works as I want, except for the update method which I can't make work.
那么,有两个问题:是否有更优雅的方法可以做到这一点?如果没有,我的更新方法有什么问题?我找不到有关更新的任何文档,因此我正在就如何对其进行最佳猜测,但它不起作用.
So, two questions: is there a more elegant way to do this, and if not, what is wrong with my update method? I can't find any documentation on update, so I'm using my best guess as to how to super it, but it's not working.
谢谢!
约翰
这是我的课程:
class StaffOnlyModelViewSet(viewsets.ModelViewSet):
def list(self, request):
if self.request.user.is_staff:
return super(StaffOnlyModelViewSet, self).list(request)
else:
content = {'Unauthorised': 'This API is private'}
return Response(content, status=status.HTTP_401_UNAUTHORIZED)
def retrieve(self, request, pk=None):
if self.request.user.is_staff:
return super(StaffOnlyModelViewSet, self).retrieve(request, pk=None)
else:
content = {'Unauthorised': 'This API is private'}
return Response(content, status=status.HTTP_401_UNAUTHORIZED)
def create(self, request):
if self.request.user.is_staff:
return super(StaffOnlyModelViewSet, self).create(request)
else:
content = {'Unauthorised': 'This API is private'}
return Response(content, status=status.HTTP_401_UNAUTHORIZED)
def update(self, request, pk=None):
if self.request.user.is_staff:
return super(StaffOnlyModelViewSet, self).update(request, pk=None)
else:
content = {'Unauthorised': 'This API is private'}
return Response(content, status=status.HTTP_401_UNAUTHORIZED)
def destroy(self, request, pk=None):
if self.request.user.is_staff:
return super(StaffOnlyModelViewSet, self).destroy(request, pk=None)
else:
content = {'Unauthorised': 'This API is private'}
return Response(content, status=status.HTTP_401_UNAUTHORIZED)
推荐答案
The more elegant way of achieving your goal is to use permissions. These can be declared globally, at the view level, or with a decorator
从源中:
class IsAdminUser(BasePermission):
"""
Allows access only to admin users.
"""
def has_permission(self, request, view):
return request.user and request.user.is_staff
您可以在views.py中使用它(其他方式请参见文档)
You can use this in your views.py (see the docs for other ways)
from rest_framework.permissions import IsAdminUser
class StaffOnlyModelViewSet(viewsets.ModelViewSet):
permission_classes = (IsAdminUser,)
某些用户对权限和身份验证以及它们之间的关系感到困惑,因此,我将为您快速入门.
Some users are confused by permissions and authentication and the relation between them, so I will give you a quick primer.
身份验证定义了用户证明其身份的方式和权限定义谁有权访问哪些资源.无论身份验证期间是否证明了身份,都将根据权限检查用户的请求.
Authentication defines the means for a user to prove their identity, and permissions define who has access to which resources. Whether or not the identity is proven during authentication, the user's request will be checked against permissions.
组合在一起时,可以控制用户的访问.例如,如果用户验证失败,但是视图上的权限类设置为"IsAuthenticatedOrReadOnly",则他们仍然可以获取/列出资源.'IsAdminUser'指出用户必须已经通过身份验证,并且还必须是工作人员才能访问此视图.在这种情况下,这就是您想要的.
When combined together, you can control a users access. For example, if a user fails authentication but the permission class on a view is set to 'IsAuthenticatedOrReadOnly', they can still GET/LIST the resource. 'IsAdminUser' states that a user must have passed authentication and must also be staff to access this view. This is what you want in this case.
这篇关于Django Rest Framework中仅限员工的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
