Python 如何设置只允许所属用户更新的模型检查权限?
以下是我关于模型域更新的代码:Python 如何设置只允许所属用户更新的模型检查权限?,python,django,django-rest-framework,Python,Django,Django Rest Framework,以下是我关于模型域更新的代码: serializer.py: class DomainUpdateSerializer(serializers.ModelSerializer): class Meta: model = Domain fields = "__all__" models.py: class Domain(models.Model): domain_name = models.CharField(max_leng
serializer.py:
class DomainUpdateSerializer(serializers.ModelSerializer):
class Meta:
model = Domain
fields = "__all__"
models.py:
class Domain(models.Model):
domain_name = models.CharField(max_length=512, help_text='domain. eg.example.com')
cname = models.ForeignKey(
unique=True,
to=CNAMEModel,
on_delete=models.DO_NOTHING,
related_name="domains",
help_text="CNAME")
ssl_cert = models.TextField(max_length=40960, help_text="SSL cert + ca-bundle")
ssl_key = models.TextField(max_length=40960, help_text="SSL key")
ctime = models.DateTimeField(auto_now_add=True)
uptime = models.DateTimeField(auto_now=True)
def __str__(self):
return self.domain_name
def __unicode__(self):
return self.domain_name
class Meta:
verbose_name = "domain"
verbose_name_plural = "domain"
ordering = ['ctime']
class CNAMEModel(models.Model):
name = models.CharField(max_length=64, unique=True, help_text=". eg:gat.demo.com")
desc = models.CharField(max_length=5120, null=True, blank=True, help_text="desc")
desc_en = models.CharField(max_length=5120, null=True, blank=True")
user = models.OneToOneField(unique=True, to=AuthUser, on_delete=models.DO_NOTHING, help_text="belong user")
is_active = models.BooleanField(default=True)
ctime = models.DateTimeField(auto_now_add=True)
uptime = models.DateTimeField(auto_now=True)
def __str__(self):
return self.name
def __unicode__(self):
return self.name
class Meta:
verbose_name = "CNAME"
verbose_name_plural = "CNAME"
ordering = ['ctime']
views.py:
class DomainUpdateAPIView(UpdateAPIView):
serializer_class = DomainUpdateSerializer
permission_classes = [IsAuthenticated, IsAdminUser]
queryset = Domain.objects.all()
您可以看到域属于CNAME,CNAME属于用户
我有一个问题,我如何才能使检查域的权限仅可由所属用户或AdminUser更新(IsAdminUser
已解决)
或者使用其他方式而不是权限。您可以拥有额外的自定义权限:
from rest_framework import permissions
from rest_framework.exceptions import PermissionDenied
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow creator of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Write permissions are only allowed to the creator of the movie
return obj.cname.user == request.user
在视图中,可以包括Isowner或ReadOnly:
from .permissions import IsOwnerOrReadOnly
class DomainUpdateAPIView(UpdateAPIView):
serializer_class = DomainUpdateSerializer
permission_classes = [IsAuthenticated, IsAdminUser, IsOwnerOrReadOnly]
queryset = Domain.objects.all()