堆栈内存溢出
  简体   繁体   English

Django DRF-限制通过权限访问列表视图

[英]Django DRF - Restrict Access to List View via Permissions

 原文  2018-07-16 23:16:40       python/ django/ python-3.x/ permissions/ django-rest-framework

问题描述

I have a DRF ViewSet to which I am adding the CanViewAndEditStaff permission. 我具有向其添加CanViewAndEditStaff权限的DRF ViewSet。 I want only certain users ( user.access_level < 2 ) to be able to view the list of staff. 我只希望某些用户( user.access_level < 2 )能够查看人员列表。 In my Permissions class, how can I differentiate between a call to the list view and to the get item view. 在我的Permissions类中,如何区分对list视图的调用和对get项目视图的调用。 Here is my permissions class: 这是我的权限类: 

class CanViewAndEditStaff(permissions.BasePermission):

        def has_permission(self, request, view):

            # IF THIS IS A LIST VIEW, CHECK ACCESS LEVEL
            if ( request.user.access_level < 3 ):
                return True

            # ELSE, CONTINUE ON TO OBJECT PERMISSIONS

        def has_object_permission(self,request,view,account):

            # admin can do anything
            if ( request.user.access_level == 1 ):
                return True

            # view/edit/delete
            else:

                # users can view their own account
                if  account == request.user:
                    return True

                elif account.access_level >= request.user.access_level:
                    return True

            return False

2 个解决方案

解决方案1
 4 已采纳  2018-07-17 01:21:52

class CanViewAndEditStaff(permissions.BasePermission):

    def has_permission(self, request, view):

        # IF THIS IS A LIST VIEW, CHECK ACCESS LEVEL
        if (view.action == 'list' and request.user.access_level < 3 ):
            return True

        # ELSE, CONTINUE ON TO OBJECT PERMISSIONS

you can use view.action to know if this is list or something else. 您可以使用view.action知道这是列表还是其他。

解决方案2
 0  2018-12-08 04:55:41

This doesn't exactly address the question, but this technique is applicable. 这不能完全解决问题,但是该技术适用。

I used a variation on Ykh's answer that allows the same permission class to be used broadly across many views which display a variety of different models. 我在Ykh的答案上使用了一种变体,该变体允许在显示各种不同模型的许多视图中广泛使用同一权限类。

In my view class I added an attribute to distinguish the originating view, thus allowing the appropriate object comparison to determine permissions 在视图类中,我添加了一个属性来区分原始视图,从而允许进行适当的对象比较以确定权限 

# views.py
class SomeView(ListAPIView):
    permission_classes = (IsPermd, )
    is_some_view = True

class SomeOtherView(RetrieveAPIView
    permission_classes = (IsPermd, )
    is_some_other_view = True

# permissions.py
class IsPermd(BasePermission):
    def has_object_permissions(self, request, view, obj):
        if hasattr(view, 'is_some_view'):
            # whatever special considerations
        if hasattr(view, 'is_some_other_view'):
            # whatever other special considerations

This feels a little clunky, but until I find a better way I'll stick with it. 这感觉有些笨拙,但是直到我找到更好的方法之前,我都会坚持下去。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django管理员限制对列表视图的访问 - Django admin restrict access to list view Django DRF 查看属性错误 - Django DRF view AttributeError django - DRF中的登录视图 - django - login view in DRF Django权限CBV / DRF的当前选项 - Current options for Django permissions CBV/DRF Django DRF多模型视图 - Django DRF multi model view 如何在基于 django class 的视图中限制对某些组的访问 - How to restrict access to certain groups in django class based view 如何将视图的访问权限限制在 Django 中的超级用户 - How can I restrict access to a view to only super users in Django 如何在基于 Django class 的视图中限制用户组的访问? - How to restrict access by user groups in Django class based view? Django DRF ids对象列表 - Django DRF list of ids object Django:限制访问页面 - Django: Restrict access to page
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM