I'm a newbie to Django and Django-rest. I've written a blog app using django. I want to delete a comment by comment owner and post owner.thanks in advance this is my comment and post model:
class Post(models.Model):
name = models.CharField(blank=True, max_length=60)
caption = models.CharField(blank=True, max_length=280)
status = models.CharField(blank=True, max_length=20)
owner = models.ForeignKey(User, related_name='Post_owner', null=True, on_delete=models.CASCADE)
created_at = models.TimeField(auto_now_add=True)
multimedia = models.ManyToManyField(Media, related_name='Post', blank=True)
class Comment(models.Model):
context = models.CharField(blank=True, max_length=280)
author = models.ForeignKey(User, related_name='comment_author', null=True, on_delete=models.CASCADE)
created_at = models.TimeField(auto_now_add=True)
post = models.ForeignKey(Post, related_name='comments', null=True, on_delete=models.CASCADE)
this is my serilaizers
class CommentSerializer(serializers.ModelSerializer):
class Meta:
model = models.Comment
fields = ('id','context', 'author','created_at', 'post')
class PostSerializer(serializers.ModelSerializer):
multimedia = PostMediaSerializer(many=True, read_only=True, required=False)
comments = CommentSerializer(many=True, read_only=True)
class Meta:
model = models.Post
fields = ('name', 'caption', 'status', 'owner', 'created_at', 'multimedia','comments')
and this is my view class to insert a comment:
class CreateCommentView(generics.RetrieveUpdateDestroyAPIView):
queryset = Comment.objects.all()
permission_classes = (IsAuthenticated,)
serializer_class = post_serializer.CommentSerializer
def put(self, request, pk=None):
user = request.user
data = request.data
data['author'] = user.email
data['post'] = pk
serializer = self.get_serializer(data=data)
if not serializer.is_valid(True):
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
serializer.save()
return Response("comment created!", status=status.HTTP_202_ACCEPTED)
You can simply create your own permission to achieve that.
Create a permissions.py file if you have not done it yet and add the following:
#permissions.py
from rest_framework import permissions
class IsPostOrCommentOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method == "DELETE":
# check here if the user is owner of the post or comment
return obj.author == request.user or obj.post.owner == request.user
# else always return True.
return True
Then, you can just add the newly created permission to your view.
# views.py
from .permissions.py import IsPostOrCommentOwner
class CreateCommentView(generics.RetrieveUpdateDestroyAPIView):
queryset = Comment.objects.all()
permission_classes = (IsAuthenticated, IsPostOrCommentOwner,)
# etc ...
After that, only the post owner or comment author will be able to delete the comment. You can find out more about DRF permissions system here .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.