Django：防止编辑/删除对象的更干燥方式？ [英] Django: A more DRY way to prevent edit/delete of objects?

问题描述

阅读权限Django文档后，我仍然感到困惑。
我想阻止访问用户编辑或删除他们不拥有的对象。
我以这种方式点它，它的作品：

After reading the permission Django documentation, I'm still confused. I'd like to prevent access for user to edit or delete objects they didn't own. I dit it this way and it works:

在views.py：

def deleteReward(request, reward_id):
    reward = get_object_or_404(Reward, pk=reward_id)
    if reward.owner.user != request.user: # if the user linked to the reward is not the current one
        raise Exception("This reward is not yours, you can't delete it !")
    #...

但是我认为这不干净，而且DRY有两个原因：

But I think this isn't clean and DRY for two reasons:

1. 在每个editStuff和deleteStuff视图中，我必须编写相同的代码段。

1. In each editStuff and deleteStuff views, I'll have to write the same portion of code.

我正在写一个API与Tastypie，如果权限逻辑在视图中，我将无法重新使用它。处理最好的方法似乎是将API权限映射到Django权限（但是我在视图中写的代码与权限无关）。

I'm currently writing an API with Tastypie, and if the permission logic is in a view, I won't be able to re-use it. The best way to deals with seems to be to map the API permission with the Django permissions (but the code I wrote in my view has nothing to do with permissions).

你能帮我找到正确的方法吗？
非常感谢。

Could you help me to find the right way to do? Thanks a lot.

推荐答案

这是我的工作示例。

1）QuerySet

1) QuerySet

class PermissionQuerySet(models.query.QuerySet):
    def editable_by(self, user):
        return self.filter(user=user)

    def viewable_by(self, user):
        return self.filter(user=user)

2）经理

class PermissionManager(models.Manager):
    def get_query_set(self):
        return PermissionQuerySet(self.model)

    def editable_by(self, user, *args):
        return self.get_query_set().editable_by(user, *args)

    def viewable_by(self, user, *args):
        return self.get_query_set().viewable_by(user, *args)

3）模型

class MyModel(models.Model):
    ...
    objects = PermissionManager()

这个程序蟑螂与基于类的观点完美地工作。我看到你使用TastyPie。我从来没有使用过它，但它似乎也使用基于类的视图。

This approach works perfectly with class based views. I see you using TastyPie. I never used it before but it seems it's uses class based views too.

这是工作示例：

class MyUpdateView(UpdateView):
    def post(self, request, *args, **kwargs):
        self.request = request
        super(MyUpdateView, self).post(request, *args, **kwargs)

    def get_query_set(self):
        queryset = super(MyUpdateView, self).get_query_set()
        queryset = queryset.editable_by(self.request.user)
        if not queryset.exists():
            raise Exception("This reward is not yours, you can't delete it !")
        return queryset

我想你可以想象如何在CreateView，DeleteView中使用这种方法。而且我觉得在TastyPie中很容易实现。

I think you can imagine how to use this approach in CreateView, DeleteView. And i think it is easy to implement this in TastyPie.

这篇关于Django：防止编辑/删除对象的更干燥方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！