[英]Django rest framework : Prevent one user from deleting/Editing/Viewing other users in ModelViewSet
I was using Django users model for my Django rest framework.我在我的 Django 休息框架中使用了 Django 用户模型。 For this I used Django's ModelViewSet for my User class.
为此,我将 Django 的 ModelViewSet 用于我的 User 类。
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
Serializers.py序列化器.py
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ['id', 'username', 'password']
extra_kwargs = {
'password' : {
'write_only':True,
'required': True
}
}
def create(self, validated_data):
user = User.objects.create_user(**validated_data)
Token.objects.create(user=user) # create token for the user
return user
But currently from postman when I make the request using the token of one user to view, delete, edit other users但是目前来自邮递员,当我使用一个用户的令牌发出请求以查看、删除、编辑其他用户时
http://127.0.0.1:8000/api/users/4/
Its able to edit/delete/view other users.它能够编辑/删除/查看其他用户。 I don't want that to happen and one user can make request on itself only is all I want.
我不希望这种情况发生,一个用户只能对自己提出请求就是我想要的。
This is my apps urls.py这是我的应用程序 urls.py
urls.py网址.py
from django.urls import path, include
from .views import ArticleViewSet, UserViewSet
from rest_framework.routers import DefaultRouter
router = DefaultRouter()
router.register('articles', ArticleViewSet, basename='articles')
router.register('users', UserViewSet, basename = 'users')
urlpatterns = [
path('api/', include(router.urls)),
]
How can I prevent one user from accessing other users when they make GET/POST/PUT/DELETE request.当一个用户发出 GET/POST/PUT/DELETE 请求时,如何防止他们访问其他用户。
EDIT 1: After adding the IsOwnerOfObject class as provided in he answers below, now when I am requesting the detail of the user himself, I am getting编辑 1:添加 IsOwnerOfObject 类后,他在下面的回答中提供,现在当我请求用户自己的详细信息时,我得到
Authentication credentials were not provided.
未提供身份验证凭据。
Create a file named permissions.py
.创建一个名为
permissions.py
的文件。
from rest_framework import permissions
class IsOwnerOfObject(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
next add the permission class to you ModelViewSet:接下来将权限类添加到您的 ModelViewSet:
from yourapp.permissions import IsOwnerOfObject
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsOwnerOfObject, <other permission classes you want to use>]
More info here: https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions更多信息: https : //www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions
If you want to disable delete completely (Which is probably correct since if you want to "delete" a User you should deactivate it instead.) Then you can replace your view with this:如果你想完全禁用删除(这可能是正确的,因为如果你想“删除”一个用户,你应该停用它。)然后你可以用这个替换你的视图:
from rest_framework import viewsets
from rest_framework import generics
class UserViewSet(
generics.CreateModelMixin,
generics.ListModelMixin,
generics.RetrieveModelMixin,
generics.UpdateModelMixin,
generics.viewsets.GenericViewSet
):
queryset = User.objects.all()
serializer_class = UserSerializer
And then you can use Ene Paul 's answer to limit who can edit.然后你可以使用Ene Paul的答案来限制谁可以编辑。
Building from Ene's answer, Adding the authentication and permission classes needs to be provided.根据 Ene 的回答构建,需要提供添加身份验证和权限类。
Create a file named permissions.py.创建一个名为 permissions.py 的文件。
from rest_framework import permissions
class IsOwnerOfObject(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
next add the permission and authentication class to ModelViewSet:接下来将权限和身份验证类添加到 ModelViewSet:
from api.permissions import IsOwnerOfObject
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes = [IsAuthenticated, IsOwnerOfObject]
authentication_classes = (TokenAuthentication,)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.