[英]Use request.user for model deserialization in django rest framework
Lets say i have a ToDo Model like this: 可以说我有这样一个ToDo模型:
class ToDo(models.Model):
user = models.ForeignKey(UserModel)
text = models.CharField(max_length=255, blank=True)
And i'm using django rest framework for my API. 我正在为我的API使用django rest框架。 Then i'll have this for the serializer: 那么我将为序列化器提供这个:
class ToDoSerializer(serializers.ModelSerializer):
class Meta:
model = ToDo
fields = ('text', 'id', 'user')
and this for the ViewSet
: 这对于ViewSet
:
class ToDoResponder(viewsets.ModelViewSet):
authentication_classes = (TokenAuthentication,)
permission_classes = (IsAuthenticated,)
model = ToDo
def get_queryset(self):
return ToDo.objects.filter(user=self.request.user)
serializer_class = ToDoSerializer
As i'm using TokenAuthentication
and get_queryset()
the user can only see his own Todos. 因为我正在使用TokenAuthentication
和get_queryset()
所以用户只能看到自己的Todos。 Unfortunately i can send ToDos and fake the user field so i could spam the ToDo List of another user. 不幸的是,我可以发送ToDos并伪造用户字段,以便我可以垃圾邮件另一个用户的待办事项列表。 I don't want that. 我不希望这样。
How can i tell django-rest-framework
to use request.user
for specific fields like 'user' in the most DRY/Pythonic way? 我如何告诉django-rest-framework
在最干/ Pythonic方式中使用request.user
来处理像'user'这样的特定字段? After all this is no exotic requirement and should be reused. 毕竟这不是特殊要求,应该重复使用。
Thanks 谢谢
In the drf doc http://www.django-rest-framework.org/tutorial/4-authentication-and-permissions you can find a solution creating a new permission: 在drf doc http://www.django-rest-framework.org/tutorial/4-authentication-and-permissions中,您可以找到创建新权限的解决方案:
from rest_framework import permissions
class IsOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj.user == request.user
at this point you can use it in your ToDoResponder
此时,您可以在ToDoResponder
使用它
permission_classes = (IsAuthenticated, IsOwner)
In the same page in your ToDoResponder
: 在ToDoResponder
的同一页面中:
def pre_save(self, obj):
obj.user = self.request.user
super(ToDoResponder, self).pre_save(obj)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.