在Django Rest框架中实现角色 [英] Implement roles in django rest framework

问题描述

我正在构建应具有以下类型用户的API

I am building an API that should have the following kind of users

super_user -创建/管理管理员

admin -管理事件（模型）和事件参与者

admin - manage events(model) and event participants

参与者-参加活动，受管理员邀请参加活动

participants - participate in events, invited to events by admins

我想让每种类型的用户具有电话号码字段

Additional i want to have each type of user to have phone number field

我尝试

class SuperUser(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    phone_number = models.CharField(max_length=20)

class Admin(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    phone_number = models.CharField(max_length=20)


class Participant(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    phone_number = models.CharField(max_length=20)

但是直觉告诉我这是错误的处理方式。有人可以帮忙吗？

But gut is telling me its a wrong way to handle this. Can someone please help.

推荐答案

一种可能的解决方案是：

One possible solution is:

1. 只有一个带有角色字段的用户模型，用于定义什么用户角色。

1. 创建用户组并添加每个组所需的权限。

1. 将用户添加到用户组

1. 使用Django REST框架（后来的DRF）权限类限制访问。

说明：

1. 仅使用一个用户模型更加简单灵活解。您可以查询所有用户，或按功能过滤（如用户角色）。 Standart Django身份验证系统需要一个UserModel。

1. Using only one user model is a more simple and flexible solution. You can query all users, or filtered by feature (like user role). Standart Django auth system expects one UserModel.

了解有关Django用户组的更多信息。请参阅 Django权限文档＃1 和 Django组文档＃2 。 用户组和权限也很有用。

Read more about Django user groups. See "Django Permissions Docs #1" and "Django Groups Docs #2". Also useful is "User groups and permissions".

您需要为每个用户角色创建一个组，并为每个组添加所需的权限。 （Django具有自动创建的默认模型权限，请查看给定链接上的文档）或在模型定义中手动创建所需的权限。

You need to create a group for each user role, and add needed permissions for each group. (Django has a default model permission, created automatically, look at the docs on the given links) or create the needed permission manually in the model definition.

1. 手动或使用脚本，通过在Django Admin界面创建用户或手动创建用户时定义其角色，将User添加到所需的组。

1. Manually or using a script, add User to the needed group by defining his role when a user is created or manually by Django Admin interface.

现在，所有内容均应准备就绪，以供用户角色限制访问。您可以使用权限类轻松限制对DRF视图的访问。在 DRF权限文档中查看更多信息。

Now everything should be ready for limited access by the user's role. You can easily limit access to the DRF View using a permission class. See more information in the "DRF Permission Docs".

让我们定义自己的：

from rest_framework.permissions import DjangoModelPermissions
# Using DjangoModelPermissions we can limit access by checking user permissions.

# Rights need only for CreateUpdateDelete actions.
class CUDModelPermissions(DjangoModelPermissions):
  perms_map = {
      'GET': [],
      'OPTIONS': [],
      'HEAD': ['%(app_label)s.read_%(model_name)s'],
      'POST': ['%(app_label)s.add_%(model_name)s'],
      'PUT': ['%(app_label)s.change_%(model_name)s'],
      'PATCH': ['%(app_label)s.change_%(model_name)s'],
      'DELETE': ['%(app_label)s.delete_%(model_name)s'],
  }

# Or you can inherit from BasePermission class and define your own rule for access
from rest_framework.permissions import BasePermission

class AdminsPermissions(BasePermission):
    allowed_user_roles = (User.SUPERVISOR, User.ADMINISTRATOR)

    def has_permission(self, request, view):
        is_allowed_user = request.user.role in self.allowed_user_roles
        return is_allowed_user

# ----
# on views.py

from rest_framework import generics
from .mypermissions import CUDModelPermissions, AdminsPermissions

class MyViewWithPermissions(generics.RetrieveUpdateDestroyAPIView):
    permission_classes = [CUDModelPermissions, ]
    queryset = SomeModel.objects.all()
    serializer_class = MyModelSerializer

您可以添加其他权限类别以组合访问限制。

You can add additional permission class to combine access limitation.

这篇关于在Django Rest框架中实现角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！