python - 如何限制用户不要在DRF ModelViewSet中看到其他用户数据？

我创建了一个具有用户配置文件的待办事项列表API。每个用户个人资料均可具有待办事项列表。现在一切正常，但是这里的问题是一个用户可以查看其他用户的数据，但是我想限制一个用户不要在请求URL时看到其他用户的待办事项列表。

models.py

class TodoListItem(models.Model):
    """Todo List"""

    user_profile = models.ForeignKey('UserProfile', on_delete=models.CASCADE)
    todo_item = models.CharField(max_length=150)
    description = models.CharField(max_length=255)
    created_on = models.DateTimeField(auto_now_add=True)
    reminder_date = models.DateTimeField()

    def __str__(self):
        """Return the model as the string"""

        return self.todo_item

views.py

class TodoItemViewSet(viewsets.ModelViewSet):
    """Handles creating, reading, and updating profile Todo Items."""

    authentication_classes = (TokenAuthentication,)
    serializer_class = serializers.TodoItemSerializer
    queryset = models.TodoListItem.objects.all()
    permission_classes = (permissions.UpdateTodoItem, IsAuthenticated)

    def perform_create(self, serializer):
        """Sets the user profile to the logged in User."""

        serializer.save(user_profile=self.request.user)

serializers.py

class TodoItemSerializer(serializers.ModelSerializer):
    """Serializer for Todo Items."""

    class Meta:
        model = models.TodoListItem
        fields = ('id', 'user_profile', 'todo_item', 'description', 'created_on', 'reminder_date')
        extra_kwargs = {'user_profile': {'read_only': True}}

Permissions.py

class UpdateTodoItem(permissions.BasePermission):
    """Allow users to update their own status."""

    def has_object_permission(self, request, view, obj):
        """Check user is trying to update their own status."""

        if request.method in permissions.SAFE_METHODS:
            return True

        return obj.user_profile.id == request.user.id

意外结果：

[
    {
        "id": 1,
        "user_profile": 1,
        "todo_item": "Todo Item 1",
        "description": "Sample todo item 1",
        "created_on": "2019-06-06T04:48:59.401451Z",
        "reminder_date": "2019-06-02T04:48:57Z"
    },
    {
        "id": 2,
        "user_profile": 2,
        "todo_item": "Todo Item 2",
        "description": "Sample todo item 3",
        "created_on": "2019-06-06T04:50:08.734365Z",
        "reminder_date": "2019-06-03T04:50:07Z"
    },
    {
        "id": 3,
        "user_profile": 1,
        "todo_item": "Todo Item 2",
        "description": "",
        "created_on": "2019-06-06T04:54:47.919602Z",
        "reminder_date": "2019-06-07T02:00:00Z"
    },
    {
        "id": 4,
        "user_profile": 1,
        "todo_item": "Todo Item 4",
        "description": "Sample todo item 4",
        "created_on": "2019-06-06T05:00:08.004224Z",
        "reminder_date": "2019-06-07T10:01:00Z"
    }
]

预期结果：

[
    {
        "id": 1,
        "user_profile": 1,
        "todo_item": "Todo Item 1",
        "description": "Sample todo item 1",
        "created_on": "2019-06-06T04:48:59.401451Z",
        "reminder_date": "2019-06-02T04:48:57Z"
    },
    {
        "id": 3,
        "user_profile": 1,
        "todo_item": "Todo Item 2",
        "description": "",
        "created_on": "2019-06-06T04:54:47.919602Z",
        "reminder_date": "2019-06-07T02:00:00Z"
    },
    {
        "id": 4,
        "user_profile": 1,
        "todo_item": "Todo Item 4",
        "description": "Sample todo item 4",
        "created_on": "2019-06-06T05:00:08.004224Z",
        "reminder_date": "2019-06-07T10:01:00Z"
    },
]

我只需要查看user_profile 1的todo_item，因为user_profile：1是登录的用户。

最佳答案

你可以试试看返回特定用户的记录

希望能帮助到你
参考this

关于python - 如何限制用户不要在DRF ModelViewSet中看到其他用户数据？，我们在Stack Overflow上找到一个类似的问题：https://stackoverflow.com/questions/56472461/