Django - 视图中的多个权限
Django - Multiple permissions in a view
我想为一个视图创建权限,以验证用户是商店的所有者还是管理员。我已经创建了两个权限,它们在单独调用时运行良好,检查一个用户是管理员,另一个检查用户是商店的所有者。我现在想创建一个全局条件来验证是否满足两个条件之一。
这是我的出发条件:
utils.py
class IsOwner(BasePermission):
"""
Check if the user who made the request is owner.
Use like that : permission_classes = [IsOwner]
"""
def has_permission(self, request, view):
return request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
try:
user_shop = UserShop.objects.get(user=request.user, shop=obj)
return True
except:
return False
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
class OwnerView(GenericAPIView):
"""
Check if a user is owner
"""
permission_classes = (IsOwner,)
class AdminView(APIView):
"""
Check if a user is admin
"""
permission_classes = (IsAdmin,)
这是我正在尝试执行的功能:
class AdminOrOwnerView(GenericAPIView):
"""
Check if a user is admin or owner
"""
permission_classes = ( IsOwner|IsAdmin,)
目前,此条件允许任何登录用户使用我的视图
这是我的观点:
views.py
class ShopDetail(AdminOrOwnerView):
"""Edit ou delete a shop"""
queryset = Shop.objects.all()
lookup_field = 'path'
def put(self, request, path):
"""For admin or shop owner to edit a shop"""
shop = self.get_object()
serializer = ShopSerializer(shop, data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
return Response(serializer.errors)
提前感谢您的帮助
您已使用以下方式组合了两种权限:
permission_classes = ( IsOwner|IsAdmin,)
首先调用 has_permission 会成功,因为在这种情况下,对于登录用户 IsOwner returns True。接下来当 has_object_permission 被调用时再次成功,因为这次 IsAdmin returns True (因为你还没有在那里实现任何东西)。
一个解决方案是再次明确检查用户是否是 has_object_permission 中的管理员 IsAdmin:
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
def has_object_permission(self, request, view, obj):
return self.has_permission(request, view) # reuse `has_permission`
我想为一个视图创建权限,以验证用户是商店的所有者还是管理员。我已经创建了两个权限,它们在单独调用时运行良好,检查一个用户是管理员,另一个检查用户是商店的所有者。我现在想创建一个全局条件来验证是否满足两个条件之一。
这是我的出发条件:
utils.py
class IsOwner(BasePermission):
"""
Check if the user who made the request is owner.
Use like that : permission_classes = [IsOwner]
"""
def has_permission(self, request, view):
return request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
try:
user_shop = UserShop.objects.get(user=request.user, shop=obj)
return True
except:
return False
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
class OwnerView(GenericAPIView):
"""
Check if a user is owner
"""
permission_classes = (IsOwner,)
class AdminView(APIView):
"""
Check if a user is admin
"""
permission_classes = (IsAdmin,)
这是我正在尝试执行的功能:
class AdminOrOwnerView(GenericAPIView):
"""
Check if a user is admin or owner
"""
permission_classes = ( IsOwner|IsAdmin,)
目前,此条件允许任何登录用户使用我的视图
这是我的观点:
views.py
class ShopDetail(AdminOrOwnerView):
"""Edit ou delete a shop"""
queryset = Shop.objects.all()
lookup_field = 'path'
def put(self, request, path):
"""For admin or shop owner to edit a shop"""
shop = self.get_object()
serializer = ShopSerializer(shop, data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
return Response(serializer.errors)
提前感谢您的帮助
您已使用以下方式组合了两种权限:
permission_classes = ( IsOwner|IsAdmin,)
首先调用 has_permission 会成功,因为在这种情况下,对于登录用户 IsOwner returns True。接下来当 has_object_permission 被调用时再次成功,因为这次 IsAdmin returns True (因为你还没有在那里实现任何东西)。
一个解决方案是再次明确检查用户是否是 has_object_permission 中的管理员 IsAdmin:
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
def has_object_permission(self, request, view, obj):
return self.has_permission(request, view) # reuse `has_permission`