Django中的对象所有权 [英] Object Ownership in Django

问题描述

我想知道如何用Django模型完成一个简单的对象所有权系统，这样默认情况下，只有对象的所有者才能对其进行编辑。

I'm wondering how I might accomplish a simple 'object ownership' system with django models, such that, by default, only the owner of an object may edit it.

我试图允许管理组代表对象所有者编辑所有对象，并在此时添加了自定义权限：

I am attempting to allow a 'Management' group to edit all objects on behalf of the object owners, and have at this point added a custom permission:

class Meta:
    permissions     = (
        ("manage_object", "Can manage objects"),
    )

为了建立所有权，我想在模型中添加一个def：

To establish 'ownership' I've toyed with the idea of adding a def to the model:

def owner(self):
    return self.user

但是，我该怎么走？我可以在视图中实现权限并使用模板显示相关的UI，即：

But then, how might I go further? I could implement the permissions in a view and display relevant UI with a template, i.e.:

if request.user is object.owner:
    # ... do stuff
elseif request.user.has_perm.can_manage:  # this line is probably not right
    # ... do something else

...，然后在模板级别显示不同的UI元素。

... and then present different UI elements on a template level.

因此，问题是：

• 这种方法有什么缺点/好处？


• 有建议吗？


• 还是其他任何以前实现的方法？

最感谢！

推荐答案

我的方法是在模型中添加方法：

My approach would be adding a method to the model:

class YourModelWithOwnership(models.model):
    ...

    def user_can_manage_me(self, user):
        return user == self.user or user.has_perm('your_app.manage_object')

n每当需要权限检查时就调用该方法，并根据结果采取一些措施。因此对于从django.shortcuts import get_object_or_404
...
$ b的

I'd then call that method whenever a permission check is required, and take some action based on the outcome. So for a view that would be

from django.shortcuts import get_object_or_404
...

def view_func(request, item_id):
    item = get_object_or_404(YourModelWithOwnership, id=item_id) # or whatever is needed to get the object
    if not item.user_can_manage_me(request.user):
        # user not allowed to manage
        ...
    else:
        ...

稍后，我可能会意识到，在需要该测试的每个视图中仍要编写一些样板代码，因此我实现了一个当用户无法管理对象时引发的异常。 。

Later I'd probably realize that that's still quite some boilerplate code to write in every view that needs that test, so I'd implement an exception that's thrown when a user can't manage an object...

class CannotManage(Exception):
    pass

...并向模型添加另一种方法：

...and add another method to the model:

from django.db import models
from django.shortcuts import get_object_or_404

class YourModelWithOwnership(models.model):
    ...

    @classmethod
    def get_manageable_object_or_404(cls, user, *args, **kwds):
        item = get_object_or_404(cls, *args, **kwds)
        if not item.user_can_manage_me(user):
            raise CannotManage
        return item

然后，可以在视图函数中使用：

Then, in the view functions, this can be used:

def view_func(request, item_id):
    item = YourModelWithOwnership.get_manageable_object_or_404(request.user, id=item_id)
    ...

当用户不是所有者时，这当然会引发异常并且没有适当的许可。可以在process_exception（）方法中处理该异常。 / rel = noreferrer>自定义中间件类，以便在不允许用户弄乱对象的所有实例中都有一个处理程序。

This will of course raise an exception when the user isn't the owner and does not have the proper permission. That exception can be handled in the process_exception() method of a custom middleware class so that there's a single handler for all instances where a user is not allowed to mess with the object.

这篇关于Django中的对象所有权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！