如何在Django Rest Framework中编辑用户权限

问题描述 投票:0回答:1

我正在按照django Rest Framework的教程。我想添加基于用户的权限,以便只有经过身份验证的用户才能查看每个用户的详细信息。目标:任何人都可以查看UserList,但只有所有者才能查看其UserDetail。

models.py

class Meeting(models.Model):
        created = models.DateTimeField(auto_now_add=True)
        sinceWhen = models.DateTimeField(null=True)
        tilWhen = models.DateTimeField(null=True)
        owner = models.ForeignKey('auth.User', related_name='meetings', on_delete=models.CASCADE)
        #highlighted = models.TextField()

        def save(self, *args, **kwargs):
                super(Meeting, self).save(*args, **kwargs)


        class Meta:
                ordering = ('created',)

views.py

from django.contrib.auth.models import User
# User is not created inside models.py

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserListSerializer

class UserDetail(generics.RetrieveAPIView):
        queryset = User.objects.all()
        serializer_class = UserSerializer
        permission_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly,)
# I added IsOwnerOrReadOnly to make it work, but this is the part where it causes error!

serializers.py

class UserSerializer(serializers.ModelSerializer):
        meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())
        #owner = serializers.ReadOnlyField(source='owner.username')

        class Meta:
                model = User
                fields = ('id', 'username', 'meetings',)

class UserListSerializer(serializers.ModelSerializer):
        #meetings = serializers.PrimaryKeyRelatedField(many=True, queryset=Meeting.objects.all())

        class Meta:
                model = User
                fields = ('username',)

permissions.py

from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):  
        def has_object_permission(self, request, view, obj):

                # Any permissions are only allowed to the owner of the meeting
                return obj.owner == request.user

我重写了IsOwnerOrReadOnly,以便只有用户才能查看他/她的用户详细信息。并将其添加到views.py中的permission_class。

然后我收到了这个错误:

File "/home/tony/env/lib/python3.6/site-packages/rest_framework/views.py" in check_object_permissions
  345.             if not permission.has_object_permission(request, self, obj):

File "/home/tony/swpp_hw1/meetings/permissions.py" in has_object_permission
  15.       return obj.owner == request.user

Exception Type: AttributeError at /users/1/
Exception Value: 'User' object has no attribute 'owner'

我试图在models.py中添加User类,但它又导致错误......如何解决这个问题?

django django-rest-framework django-permissions
1个回答
1
投票

尝试将其更改为:

return obj == request.user

由于object是您尝试访问的用户,request.user是当前经过身份验证的用户。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.