我目前正在开发一个DRF项目,其中管理员用户,教师用户和所有者用户应该能够访问对象详细信息视图。基本上所有用户类型除了那些不是对象的所有者或教师或管理员用户的用户类型。我能够为每个权限实现单独的权限,但是当我需要在视图上组合这些权限时,我遇到了障碍,因为在对象级别的权限之前检查了用户级别的权限。因此我不能使用布尔操作数来组合它们,我必须为我的视图编写这些丑陋的权限类。
如何以更清洁的方式在我的详细信息视图上实现这些权限,或者,是否有更简洁的方法来获取我的结果?
正如您将看到的,我违反了DRY,因为我有一个IsAdminOrOwner和IsAdminOrTeacherOrOwner烫发器。您还将在我看来,我会覆盖get_permissions()以获得相应请求方法的相应权限类。欢迎任何关于这个和其他实现的评论,我想要批评,以便我可以改进它。
from rest_framework import permissions
from rest_framework.permissions import IsAdminUser
class IsOwner(permissions.BasePermission):
def has_permission(self, request, view):
return True
def has_object_permission(self, request, view, obj):
return request.user == obj
class IsTeacher(permissions.BasePermission):
def has_permission(self, request, view):
return request.user.groups.filter(
name='teacher_group').exists()
class IsAdminOrOwner(permissions.BasePermission):
def has_object_permission(self, *args):
is_owner = IsOwner().has_object_permission(*args)
#convert tuple to list
new_args = list(args)
#remove object for non-object permission args
new_args.pop()
is_admin = IsAdminUser().has_permission(*new_args)
return is_owner or is_admin
class IsAdminOrTeacherOrOwner(permissions.BasePermission):
def has_object_permission(self, *args):
is_owner = IsOwner().has_object_permission(*args)
#convert tuple to list
new_args = list(args)
#remove object for non-object permission args
new_args.pop()
is_admin = IsAdminUser().has_permission(*new_args)
is_teacher = IsTeacher().has_permission(*new_args)
return is_admin or is_teacher or is_owner
class UserRetrieveUpdateView(APIView):
serializer_class = UserSerializer
def get_permissions(self):
#the = is essential, because with each view
#it resets the permission classes
#if we did not implement it, the permissions
#would have added up incorrectly
self.permission_classes = [IsAuthenticated]
if self.request.method == 'GET':
self.permission_classes.append(
IsAdminOrTeacherOrOwner)
elif self.request.method == 'PUT':
self.permission_classes.append(IsOwner)
return super().get_permissions()
def get_object(self, pk):
try:
user = User.objects.get(pk=pk)
self.check_object_permissions(self.request, user)
return user
except User.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
user = self.get_object(pk)
serializer = self.serializer_class(user)
return Response(serializer.data, status.HTTP_200_OK)
def put(self, request, pk, format=None):
user = self.get_object(pk)
#we use partial to update only certain values
serializer = self.serializer_class(user,
data=request.data, partial=True)
if serializer.is_valid():
serializer.save()
return Response(serializer.data,
status.HTTP_200_OK)
return Response(status=status.HTTP_400_BAD_REQUEST)
可以使用按位OR运算符组合Permissions in DRF。例如,您可以这样做:
permission_classes = (IsAdmin | IsOwner | IsTeacher)
这样,您不必定义单独的类来组合它们。