视图中创建的Django-rest-framework权限 [英] Django-rest-framework permissions for create in viewset
问题描述
我正在尝试创建一个REST API,并且停留在用户注册阶段:基本上我需要在我注册之前拥有访问令牌。
class UserViewSet(viewsets.ModelViewSet):pre>
API端点
queryset = User.objects.all()
serializer_class = UserSerializer
def metadata(self,request)
不要在OPTIONS响应中包含视图描述
data = super(UserViewSet,self).metadata(request)
返回数据
def create(self,request):
serializer = self.get_serializer(data = request.DATA,files = request.FILES)
if serializer.is_valid():
self.pre_save(serializer.object)
self.object = serializer.save(force_insert = True)
self.post_save(self.object,created = True)
self.object.set_password(self.object.password)
self.object.save()
headers = self.get_success_headers(serializer.data)
返回响应(serializer。数据,status = status.HTTP_201_CREATED,
headers = headers)
返回响应(serializer.errors,status = status.HTTP_400_BAD_REQUEST)
这是解决方法:
@api_view POST'])
@permission_classes((AllowAny,))
@csrf_exempt
def create_auth(request,format = None):
data = JSONParser()
serialized = UserSerializer(data = data)
如果serialized.is_valid():
user = User.objects.create_user(
serialized.init_data ['email' ],
serialized.init_data ['username'],
serialized.init_data ['password'],
)
user.groups = serialized.init_数据['groups']
user.save()
serialized_user = UserSerializer(user)
返回响应(serialized_user.data,status = status.HTTP_201_CREATED, header = {Access-Control-Allow-Origin:http://127.0.0.1:8000/})
else:
返回响应(serialized._errors,status = status.HTTP_400_BAD_REQUEST, headers = {Access-Control-Allow-Origin:http://127.0.0.1:8000/})
我的问题是:如何在UserViewSet中指定为创建我不需要凭据?还是指定自定义验证方法?我不想更改整个视图的身份验证/权限类。
谢谢,
Adi
EDIT
澄清:未注册的用户应该被允许POST注册数据,不应该允许任何其他的。经过身份验证的用户可以获取用户列表并更新自己的配置文件...这是默认行为。这就是为什么AllowAny是不一个选项。在我看来,适当的地方是创建函数,但是我没有得到我应该覆盖的内容。解决方案自定义get_queryset方法:
def get_queryset(self):
如果自己.request.user.is_superuser:
return User.objects.all()
else:
return User.objects.filter(id = self.request.user.id)
这样,经过身份验证的用户只能检索,修改或删除自己的对象。
指定
permission_classes =(AllowAny,),以便经过身份验证的用户可以创建一个新的。
编辑:来自评论的进一步解释
以这种方式自定义get_queryset方法意味着: / p>
是的,未经身份验证的用户可以发送GET请求以检索用户列表,但由于返回用户将为空。 objects.filter(id = self.request.user.id)确保只返回有关已验证用户的信息。
同样适用于其他方法,如果经过身份验证的用户尝试删除其他用户对象,则将显示一条详细信息:未找到(因为正在尝试访问的用户不在查询器中)。
认证的用户可以对他们的用户对象做任何事情。
I am trying to create a REST API and am stuck at user registration: basically I need to have the access token before I register.
This is the view:
class UserViewSet(viewsets.ModelViewSet): """ API endpoint that allows users to be viewed or edited. """ queryset = User.objects.all() serializer_class = UserSerializer def metadata(self, request): """ Don't include the view description in OPTIONS responses. """ data = super(UserViewSet, self).metadata(request) return data def create(self, request): serializer = self.get_serializer(data=request.DATA, files=request.FILES) if serializer.is_valid(): self.pre_save(serializer.object) self.object = serializer.save(force_insert=True) self.post_save(self.object, created=True) self.object.set_password(self.object.password) self.object.save() headers = self.get_success_headers(serializer.data) return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)This is the workaround:
@api_view(['POST']) @permission_classes((AllowAny,)) @csrf_exempt def create_auth(request, format=None): data = JSONParser().parse(request) serialized = UserSerializer(data=data) if serialized.is_valid(): user = User.objects.create_user( serialized.init_data['email'], serialized.init_data['username'], serialized.init_data['password'], ) user.groups = serialized.init_data['groups'] user.save() serialized_user = UserSerializer(user) return Response(serialized_user.data, status=status.HTTP_201_CREATED, headers={"Access-Control-Allow-Origin": "http://127.0.0.1:8000/"}) else: return Response(serialized._errors, status=status.HTTP_400_BAD_REQUEST, headers={"Access-Control-Allow-Origin": "http://127.0.0.1:8000/"})My question is: How can I specify in the UserViewSet that for the create I don't require credentials? Or specify a custom authentication method? I don't want to change the authentication/permission classes for the whole viewset.
Thanks, Adi
EDIT to clarify: unregistered users should be allowed to POST registration data and should not be allowed anything else. Authenticated users can get the user list and update their own profile...this is the default behaviour. This is why AllowAny is not an option. In my view, the proper place for this is the create function, but I don't get what I am supposed to override.
解决方案Customize the get_queryset method:
def get_queryset(self): if self.request.user.is_superuser: return User.objects.all() else: return User.objects.filter(id=self.request.user.id)This way, an authenticated user can only retrieve, modify or delete its own object.
Specify the
permission_classes = (AllowAny,)so an authenticated user can create a new one.EDIT: further explanation from comments
Customizing the get_queryset method this way means the following:
Yes, non-authenticated users can send the GET request to retrieve the user list but it will be empty because the return User.objects.filter(id=self.request.user.id) ensures that only information about the authenticated user is returned.
The same applies for other methods, if an authenticated user tries to DELETE another user object, a detail: Not found will be returned (because the user it is trying to access is not in the queryset).
Authenticated users can do whatever they want to their user objects.
这篇关于视图中创建的Django-rest-framework权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
