【发布时间】:2020-10-19 12:23:30
【问题描述】:
我想问一下如何在 Django Rest Framework 中控制对象权限,效果如下:
-
User没有能力DELETE也没有PUT -
Admin是User也可以是DELETE和PUT - 为了访问API /
SAFE_METHODSUser必须是Authenticated
我尝试过标准权限,例如permissions.IsAdminUser 和IsAuthenticatedOrReadOnly,但不匹配。
下面是否有标准的权限来实现?如果没有,下一步最好的方法是通过 Django 模型还是通过 DRF 控制权限?
| API end-points | HTTP Method | Authenticate | Permissions | Result |
|---------------------- |------------- |------------ |------------ |------------------------------------------ |
| /products | GET | User | User | List of product |
| /products | POST | User | User | Create new product |
| /products/{product_pk}| GET | User | User | Retrieve details of particular product |
| /products/{product_pk}| PUT | Admin | Admin | Fully update particular product's info |
| /products/{product_pk}| PATCH | User | User | Partially update particular product's info |
| /products/{product_pk}| DELETE | Admin | Admin | Delete particular product's details from DB |
序列化器.py
class ProductSerializer(HyperlinkedModelSerializer):
class Meta:
model = Product
fields = '__all__'
views.py
class ProductView(viewsets.ModelViewSet):
queryset = Product.objects.all()
serializer_class = ProductSerializer
authentication_classes = [authentication.SessionAuthentication, authentication.TokenAuthentication]
permission_classes = (permissions.IsAdminUser,)
urls.py
router_v1 = routers.DefaultRouter()
router_v1.register('products', ProductView)
urlpatterns = [
path('v1/', include(router_v1.urls)),
path('api-token-auth/', views.obtain_auth_token, name='api-token-auth'),
path('api-auth/', include('rest_framework.urls'))
]
【问题讨论】:
标签: python django rest django-rest-framework