8.4.drf的权限验证
获取当前的用户信息
from rest_framework import serializers
from .models import UserFav
class UserFavSerializer(serializers.ModelSerializer):
user = serializers.HiddenField(
default=serializers.CurrentUserDefault()
)
class Meta:
model = UserFav
fields = ('user', 'goods')联合校验
from rest_framework import serializers
from rest_framework.validators import UniqueTogetherValidator
from .models import UserFav
class UserFavSerializer(serializers.ModelSerializer):
user = serializers.HiddenField(
default=serializers.CurrentUserDefault()
)
class Meta:
model = UserFav
# user和goods组合唯一索引
validators = [
UniqueTogetherValidator(
queryset=UserFav.objects.all(),
fields=['user', 'goods'],
message='已收藏'
)
]
fields = ('user', 'goods', 'id')自定义权限
apps/utils/permissions.py
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `owner` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `owner`.
return obj.user == request.userapps/user_operation/views.py
from rest_framework import mixins
from rest_framework import viewsets
from rest_framework.permissions import IsAuthenticated
from user_operation.models import UserFav
from user_operation.serializers import UserFavSerializer
from utils.permissions import IsOwnerOrReadOnly
class UserFavViewSet(mixins.CreateModelMixin, mixins.RetrieveModelMixin, mixins.ListModelMixin,
mixins.DestroyModelMixin, viewsets.GenericViewSet):
# 设置权限
permission_classes = (IsAuthenticated, IsOwnerOrReadOnly)
serializer_class = UserFavSerializer
def get_queryset(self):
# 获取用户下收藏
return UserFav.objects.filter(user=self.request.user)Last updated
Was this helpful?