问题描述
我定义了以下模型
class Flight(models.Model):
...
class FlightUpdate(models.Model):
flight = models.ForeignKey('Flight', related_name='updates')
...
和以下使用REST Framework扩展中的NestedViewsetMixin的视图集
and the following viewset using the NestedViewsetMixin in the REST Framework Extensions
class FlightUpdateViewSet(mixins.ListModelMixin,
mixins.CreateModelMixin,
NestedViewSetMixin,
viewsets.GenericViewSet):
"""
API Endpoint for Flight Updates
"""
queryset = FlightUpdate.objects.all()
serializer_class = FlightUpdateSerializer
def create(self, request, *args, **kwargs):
flight = Flight.objects.get(pk=self.get_parents_query_dict()['flight'])
...
因此,要访问与Flight关联的FlightUpdates,URL为/flights/1/updates/.
So, to access the FlightUpdates associated with a Flight, the URL is /flights/1/updates/.
我想确保只有在有权更改与FlightUpdate关联的Flight对象的人的情况下,他们才能创建 FlightUpdates.
I want to ensure that people can only create FlightUpdates if they have the permissions to change the Flight object with which the FlightUpdate is associated.
添加FlightUpdate时,我将如何执行额外检查?我曾尝试在视图集中添加类似的内容,但是我不确定这是否是最好的方法.
How would I go about performing the extra check when adding a FlightUpdate? I've tried adding something like this in the viewset, but I'm not sure if it's the best way.
if not request.user.has_perm('flights.change_flight', flight):
raise PermissionError()
注意:我正在使用django-rules进行对象级权限的实现.
Note: I'm using django-rules for the object-level permissions implementation.
推荐答案
我通过实现自定义权限类解决了这个问题.
I solved this problem by implementing a custom permissions class.
from django.core.exceptions import ObjectDoesNotExist
from rest_framework.permissions import BasePermission, SAFE_METHODS
from .models import Flight
class FlightPermission(BasePermission):
def has_permission(self, request, view):
if request.method in SAFE_METHODS:
return True
try:
flight = Flight.objects.get(pk=view.kwargs['parent_lookup_flight'])
except ObjectDoesNotExist:
return False
return request.user.has_perm('flights.change_flight', flight)
这篇关于在Django REST Framework中检查相关对象的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!