您自己的用户模型的 Django 每个对象权限 [英] Django Per Object Permission for Your Own User Model
问题描述
我已经实现了我自己的 User 模型类,如下所示.请注意,它不是自定义 django 的 auth.User 模型.我对这个对象权限知识不熟悉,尤其是在我的项目中需要的这个自定义用户模型中.
I have implemented my own User model class as follows. Note that is it NOT customizing django's auth.User model. I am new to this object permission knowledge and especially in this self-defined User model which is required in my project.
您能否举一个在这种情况下添加每个对象权限的示例?
Could you give an example of adding per-object permission in this case?
from django.contrib.auth.models import AbstractBaseUser, PermissionsMixin
class CustomUser(AbstractBaseUser, PermissionsMixin):
email = models.EmailField(max_length=40, unique=True)
#.... other fields are omitted
class Article(models.Model):
title = models.CharField('title', max_length=120)
body = models.TextField('body')
author = models.ForeignKey(CustomUser)
现在,对象权限开始发挥作用.每个用户都可以创建/更新/删除/查看自己的文章对象,但只能查看其他人的文章,而没有更新/删除权限.
Now, the object permission comes into play. Each user can create/update/delete/view their own article objects, but ONLY view others' articles without permission to update/delete them.
从 Django 文档来看,模型级别权限在此处不适用.如果文章被授予模型级更新权限,则所有用户都可以更新其他人的文章.
From the Django docs, the Model level permission does not apply here. If the Article is given model level update permission, then all users can update others' Articles.
我发现了 django-guardian.但是,这种自定义的 CustomUser 模型似乎没有希望,因为它严重依赖 Django 的 auth.User 模型!
I found out the django-guardian. However, there seems to be no hope for this self-defined CustomUser model, as it relies heavily on Django's auth.User model!
https://django-guardian.readthedocs.org/en/v1.2/userguide/custom-user-model.html
- 我的情况是继承 AbstractBaseUser 而不是 AbstractUser;
- 这不是针对管理员,而是针对我的后端代码逻辑;
- 我在这里没有使用 Django REST API,但如果 REST API 合适,请举例说明.
推荐答案
对象级权限未内置于 Django 中,即使使用标准 auth.User 模型也是如此.但基础在于 Django 的 PermissionsMixin 定义了 has_perm 方法,该方法接受模型实例.默认情况下,Django 不会对它做任何事情,但您可以.
Object-level permissions are not built into Django, even when using the standard auth.User model. But the foundation is there in that Django's PermissionsMixin defines the has_perm method, which accepts a model instance. Django does nothing with it by default, but you can.
has_perm 方法有效地将繁重的工作转移到已注册的身份验证后端.因此,您可以创建一个自定义身份验证后端,专门用于执行对象级权限检查.它不需要实际处理身份验证.它可以像基本类上的单个方法一样简单.您只需要如下(未经测试):
The has_perm method effectively passes the hard work off onto the registered authentication backends. So you can create a custom authentication backend specifically for performing your object-level permission checks. It does not need to actually handle authentication. It can be as simple as a single method on a basic class. Something like the following (untested) is all you should need:
class ObjectPermissionsBackend(object):
def has_perm(self, user_obj, perm, obj=None):
if not obj:
return False # not dealing with non-object permissions
if perm == 'view':
return True # anyone can view
elif obj.author_id == user_obj.pk:
return True
else:
return False
使用 AUTHENTICATION_BACKENDS 设置告诉 Django 使用您的自定义后端.在 settings.py 中:
Tell Django to use your custom backend using the AUTHENTICATION_BACKENDS setting. In settings.py:
AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend', 'path.to.ObjectPermissionsBackend')
然后,在您的代码中:
if user.has_perm('edit', article_instance):
# allow editing
请参阅 https://docs.djangoproject.com/en/1.8/topics/auth/customizing/#custom-users-and-permissions 和 https://docs.djangoproject.com/en/1.8/topics/auth/customizing/#specifying-authentication-backends
这篇关于您自己的用户模型的 Django 每个对象权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
