Django REST Framework:将数据记录访问权限限制为创建它们的用户 [英] Django REST Framework: restrict data records access to the users created them
问题描述
我试图弄清楚,使用Django管理模型访问权限的最佳方法是什么。
I'm trying to figure out, what is the best way to manage model access permissions with Django.
我有一张属于用户的项目表创建了它们。所有项目都通过RESTful API进行管理。使用此API时,我想限制对给定用户创建的项目的访问。
I have a table of items which belong to the users created them. All the items a managed via a RESTful API. When using this API I want to limit access to the items created by a given user.
我是否必须创建多个表,还是可以仅通过创建几个表来实现?一张桌子?
如果必须使用多个表,如何将API请求与特定表相关联?
Do I have to create several tables or is it possible to achieve the same with just one table? If I have to use multiple tables, how do I correlate API requests with a particular table?
推荐答案
好,我找到了一种通过API和admin进行操作的方法。
Ok, I found a way to do it via both API and admin. This basically resembles Rob's idea.
首先,每次我通过管理面板创建新用户时,都需要将用户添加到我的商品中:
First of all, every time I create a new user via admin panel, I need to append a user to my items:
class MyAdmin(admin.ModelAdmin):
def save_model(self, request, obj, form, change):
if getattr(obj, 'user', None) is None:
obj.user = request.user
obj.save()
admin.site.register(MyItem, MyAdmin)
然后在访问模型时,我只是按用户过滤(这是django.contrib.auth.models.User):
Then when accessing my model, I just filter by user (which is btw a foreign key to django.contrib.auth.models.User):
MyItem.objects.filter(user=request.user)
最后要使其与Django REST Framework一起使用,我需要向我的自定义ModelViewSet中添加几个方法: / p>
Finally to make it work with Django REST Framework, I need to add a couple of methods to My custom ModelViewSet:
class MyItemViewSet(viewsets.ModelViewSet):
model = MyItem
serializer_class = MyItemSerializer
def get_queryset(self):
return MyItem.objects.filter(user=self.request.user)
def pre_save(self, obj):
obj.user = self.request.user
我使用文档和(很多)试验和错误来弄清楚这一点。
I've used documentation and (lots) trial and error to figure this out.
这篇关于Django REST Framework:将数据记录访问权限限制为创建它们的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
