堆栈内存溢出
  简体   繁体   English

Django rest 框架:防止一个用户在 ModelViewSet 中删除/编辑/查看其他用户

[英]Django rest framework : Prevent one user from deleting/Editing/Viewing other users in ModelViewSet

 原文  2021-10-21 17:04:52       python/ django/ django-rest-framework/ django-serializer/ django-users

问题描述

I was using Django users model for my Django rest framework.我在我的 Django 休息框架中使用了 Django 用户模型。 For this I used Django's ModelViewSet for my User class.为此,我将 Django 的 ModelViewSet 用于我的 User 类。

class UserViewSet(viewsets.ModelViewSet):
    queryset = User.objects.all()
    serializer_class = UserSerializer

Serializers.py序列化器.py

class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['id', 'username', 'password']

        extra_kwargs = {
            'password' : {
                'write_only':True,
                'required': True
            }
        }
    
    def create(self, validated_data):
        user = User.objects.create_user(**validated_data)
        Token.objects.create(user=user) # create token for the user
        return user

But currently from postman when I make the request using the token of one user to view, delete, edit other users但是目前来自邮递员,当我使用一个用户的令牌发出请求以查看、删除、编辑其他用户时

http://127.0.0.1:8000/api/users/4/

Its able to edit/delete/view other users.它能够编辑/删除/查看其他用户。 I don't want that to happen and one user can make request on itself only is all I want.我不希望这种情况发生,一个用户只能对自己提出请求就是我想要的。

This is my apps urls.py这是我的应用程序 urls.py

urls.py网址.py

from django.urls import path, include
from .views import ArticleViewSet, UserViewSet
from rest_framework.routers import DefaultRouter


router = DefaultRouter()
router.register('articles', ArticleViewSet, basename='articles')
router.register('users', UserViewSet, basename = 'users')


urlpatterns = [
    path('api/', include(router.urls)), 
]

How can I prevent one user from accessing other users when they make GET/POST/PUT/DELETE request.当一个用户发出 GET/POST/PUT/DELETE 请求时,如何防止他们访问其他用户。

EDIT 1: After adding the IsOwnerOfObject class as provided in he answers below, now when I am requesting the detail of the user himself, I am getting编辑 1:添加 IsOwnerOfObject 类后,他在下面的回答中提供,现在当我请求用户自己的详细信息时,我得到

Authentication credentials were not provided.未提供身份验证凭据。

在此处输入图片说明

3 个解决方案

解决方案1
 0  2021-10-21 17:14:06

Create a file named permissions.py .创建一个名为permissions.py的文件。

from rest_framework import permissions


class IsOwnerOfObject(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):

        return obj == request.user

next add the permission class to you ModelViewSet:接下来将权限类添加到您的 ModelViewSet:

from yourapp.permissions import IsOwnerOfObject

class UserViewSet(viewsets.ModelViewSet):
    queryset = User.objects.all()
    serializer_class = UserSerializer

    permission_classes = [IsOwnerOfObject, <other permission classes you want to use>]

More info here: https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions更多信息: https : //www.django-rest-framework.org/tutorial/4-authentication-and-permissions/#object-level-permissions

解决方案2
 0  2021-10-21 17:25:14

If you want to disable delete completely (Which is probably correct since if you want to "delete" a User you should deactivate it instead.) Then you can replace your view with this:如果你想完全禁用删除(这可能是正确的,因为如果你想“删除”一个用户,你应该停用它。)然后你可以用这个替换你的视图:

from rest_framework import viewsets
from rest_framework import generics

class UserViewSet(
    generics.CreateModelMixin,
    generics.ListModelMixin,
    generics.RetrieveModelMixin,
    generics.UpdateModelMixin,
    generics.viewsets.GenericViewSet
):
    queryset = User.objects.all()
    serializer_class = UserSerializer

And then you can use Ene Paul 's answer to limit who can edit.然后你可以使用Ene Paul的答案来限制谁可以编辑。

解决方案3
 0  2021-10-22 04:27:15

Building from Ene's answer, Adding the authentication and permission classes needs to be provided.根据 Ene 的回答构建,需要提供添加身份验证和权限类。

Create a file named permissions.py.创建一个名为 permissions.py 的文件。

from rest_framework import permissions

class IsOwnerOfObject(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return obj == request.user

next add the permission and authentication class to ModelViewSet:接下来将权限和身份验证类添加到 ModelViewSet:

from api.permissions import IsOwnerOfObject
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated

class UserViewSet(viewsets.ModelViewSet):
    queryset = User.objects.all()
    serializer_class = UserSerializer

    permission_classes = [IsAuthenticated, IsOwnerOfObject]
    authentication_classes = (TokenAuthentication,)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django:阻止用户编辑其他帐户 - Django: Prevent users from editing other accounts Django Rest 框架和 React 前端:如何防止未经授权的用户在获得图像 URL 后查看私人图像? - Django Rest Framework and React Front End: How to prevent unauthorized users from viewing private images if they get a hold of the image URL? 防止超级用户在Django Admin中删除/删除/编辑用户电子邮件 - Prevent Superuser from deleting/removing/editing User Email in Django Admin 如何在django rest框架中将多个变量传递给modelViewSet? - How to pass more than one variables to modelViewSet in django rest framework? 仅对 ModelViewSet Django Rest Framework 的一种特定方法进行分页 - Pagination for only one specific method of ModelViewSet Django Rest Framework Django Rest Framework ModelViewSet View 从数据表中看不到CSRFToken - Django Rest Framework ModelViewSet View Not seeing CSRFToken from datatables 如何在 django rest 框架中找到 1 个用户与其他用户之间的距离 - how to find the distance between 1 user and other users in django rest framework 一位用户在 django 中查看另一位用户的个人资料 - one user viewing another users profile in django 使用带有Django Rest Framework的ModelViewSet中的自定义函数 - Use custom function in ModelViewSet with Django Rest Framework Django Rest 框架视图集.ModelViewSet - Django Rest Framework viewsets.ModelViewSet
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM