如何在Django Rest框架中基于用户组允许/拒绝API权限 [英] How to allow/ reject api permisions based on user group in django rest framework

查看:44
本文介绍了如何在Django Rest框架中基于用户组允许/拒绝API权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有两组用户创建者和查看者创建者可以创建,更新,查看和删除数据,而查看器只能查看数据.

I have 2 groups of user Creator and viewer Creator can create,update, view , delete data while Viewer only can view data.

我不明白如何轻松地实现它们.我觉得如果团体可以拥有自定义访问权限,我将拥有完全控制权,也许是自定义类

I cant understand how to implement them easily.:Later on if Imay have to allow certain crud for different models. i feel if groups can have custom acess I will have full control , maybe a custom class

我已经分离了api,现在需要检查组是否匹配,然后允许对api进行操作.

I have separated the apis now need to check if group matches then allow action on the api.

serializer.py

serializer.py

from rest_framework import serializers
from trackit_create.models import upload_status_image, track_info
from django.contrib.auth.models import Group



class StatusSerializer(serializers.ModelSerializer):

    class Meta:
        model=track_info
        fields = ('id','description','Manufacture','user','Cost','image')

views.py 

 has option to create data 
class AssetCreator(mixins.CreateModelMixin, generics.ListAPIView,mixins.ListModelMixin):
    serializer_class =StatusSerializer
    authentication_classes= [TokenAuthentication]
    permission_classes = [permissions.IsAuthenticated]


    # def get(self, request, *args, **kwags):
    #     return self.get(request, *args, **kwags)

    def get_queryset(self):
        qs= track_info.objects.all()
        query= self.request.GET.get('q')
        if query is not None:
            qs=qs.filter(content__icontains=query)
            return qs

    def get_object(self):
        request = self.request
        passed_id = request.GET.get('id',None)
        queryset =self.get_queryset()

        if passed_id is not None:
            obj = get_object_or_404(queryset, id = passed_id)
            self.check_object_permissions(request, obj)        
        return obj       

    def post(self, request, *args, **kwags):
        return self.create(request, *args, **kwags)


# has permision to edit, delete data based on the 
class StatusAPIDetailView(mixins.UpdateModelMixin, mixins.DestroyModelMixin, generics.RetrieveAPIView):


    serializer_class = StatusSerializer
    authentication_classes= [TokenAuthentication]    
    permission_classes = [permissions.IsAuthenticated]    
    queryset= track_info.objects.all()
    lookup_field ='id'


    def put(self,request,*args,**kwargs):
        return self.update(request, *args, **kwargs)


    def delete(self,request,*args,**kwargs):
        return self.destroy (request, *args, **kwargs)

    def patch(self,request,*args,**kwargs):
        return self.update (request, *args, **kwargs)

    def perform_update(self, serializer):
        serializer.save(updated_by_user= self.request.user)

    def perform_destroy(self,request):
        if instance is not None:
            return instance.delete()        
        return None


class AssetGetlist(APIView):
    permission_classes = [permissions.IsAuthenticated]
    authentication_classes= [TokenAuthentication]
    def get(self,request,format=None):
        qs = track_info.objects.all()
        query_set = Group.objects.filter(user = request.user)
        print ("fgfgf",query_set) # getting the group user is in 
        pm=print(query_set[0])
        #data={'grp':pm}           
        serializer= StatusSerializer(qs, many=True)
        return Response(serializer.data, status =status.HTTP_200_OK)

models.py

models.py

class track_info(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete= models.CASCADE)
    Entry_date = models.DateField(auto_now_add=True) 
    description = models.TextField(null=True, blank=True)
    image = models.ImageField(null=True, blank=True)
    Manufacture= models.CharField(max_length=100)
    Cost = models.IntegerField(null=True, blank=True)

我已引用 https://www.botreetechnologies.com/blog/django-user-groups-permission 但我无法将其与我的代码关联

I have refered to https://www.botreetechnologies.com/blog/django-user-groups-and-permission but i cant relate it with my code

也指代堆栈溢出,但无法解决

also refereed to stack-overflow but couldn't solve

推荐答案

您可以创建

You can create a custom permission class by extending Django Rest Framework BasePermission.

您将需要实现 has_permission 方法,在该方法中您可以访问请求对象和视图对象.您可以检查request.user是否在正确的组中,并根据需要返回True/False.

You'll need to implement has_permission method where you have access both the request and view objects. You can check request.user for being in right group and return True/False as appropriate.

类似这样的东西:

from rest_framework.permissions import BasePermission

class CreatorOnly(BasePermission):
    def has_permission(self, request, view):
        if request.user.groups.filter(name='your_creator_group').exists() and request.method in YOUR_ALLOWED_METHODS:
           return True
        return False

然后将其添加到您的查看权限列表中:

And then add this into your view permissions list:

class AssetCreator(mixins.CreateModelMixin, generics.ListAPIView,mixins.ListModelMixin):
    ...
    permission_classes = [CreatorOnly]

这篇关于如何在Django Rest框架中基于用户组允许/拒绝API权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆