我想编写一个Mixin(或使用第三方)来检查登录的用户是否是某些对象的所有者。
url(r'^api/mymodel/(?P<pk>\d)/?', CreateUpdateMyModel.as_view(), name='create_or_update')
class MyModel(models.Model):
owner = models.OneToOneField('auth.User')
class OwnerRequired(SingleObjectMixin):
# do this self.object = self.get_object() for getting the object
#
# some logic for checking if request.user == self.object.owner
# otherwise return something like Response(status=status.HTTP_403_FORBIDDEN)
SingleObjectMixin对我来说,继承自我很重要,因为我希望能够执行以下操作:
class CreateUpdateMyModel(APIView, OwnerRequired):
model = MyModel
def post(self, request, *args, **kwargs):
# self.object should be available here
# so that write some code taking it into account
OwnerRequired应该如何实现呢?
我愿意接受另一种选择,实际上,我已经PermissionRequiredMixin从django-braces中进行了检查,我想使用它,但是我不确定该怎么做
permission_required = ?? # I can code a method for, but how can I pass the model instance and the request.user?
还有另一种简单的选择吗?
看一下对象级别的权限。该页面上的示例部分中还有一个相关示例-请参见IsOwnerOrReadOnly示例。
还要注意,对象级权限仅运行以下两种方式之一:
GenericAPIView或子类,并调用get_object()以检索实例。self.check_object_permissions(request, instance在视图代码中显式调用。本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句