DJANGO REST框架:使用Generics Apiview I' M无法设置权限(Permissions.Py不适合个人用户)
我希望管理员用户能够访问每个用户详细信息和非ADMIN用户仅访问其自己的详细信息,但是而不是此非ADMIN用户在实现此过程时显示与管理用户相同的每个用户的完整列表。当我分享了我的Views.py,Permissions.py和Models.py时。
我不确定问题是否在persions..py.py或models.py中,因为我是Django的新手。
我正在使用Postman进行API测试,这对管理员用户来说很好,但是对于单个用户而言,它无法正常工作。
views.py
class UserListCreateAPIView(generics.ListCreateAPIView):
permission_classes = [IsStaffOrTargetUser]
queryset = User.objects.all()
serializer_class = UserSerializer
class UserRetrtieveUpdateDestroyAPIView(generics.RetrieveUpdateDestroyAPIView):
permission_classes = [IsStaffOrTargetUser]
queryset = User.objects.all()
serializer_class = UserSerializer
permissions.py
class IsStaffOrTargetUser(BasePermission):
def has_permission(self, request, view):
# allow user to list all users if logged in user is staff
return request.user or request.user.is_staff
def has_object_permission(self, request, view, obj):
# allow logged in user to view own details, allows staff to view all records
return request.user.is_staff or obj == request.user
models.py
class User(AbstractBaseUser):
email = models.EmailField(verbose_name='Email',max_length=255,unique=True)
name = models.CharField(max_length=200)
contact_number= models.IntegerField()
gender = models.IntegerField(choices=GENDER_CHOICES)
address= models.CharField(max_length=100)
state=models.CharField(max_length=100)
city=models.CharField(max_length=100)
country=models.CharField(max_length=100)
pincode= models.IntegerField()
dob = models.DateField(null= True)
# is_staff = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
is_admin = models.BooleanField(default=False)
created_at = models.DateTimeField(auto_now_add=True)
updated_at = models.DateTimeField(auto_now=True)
objects = UserManager()
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['name','contact_number','gender','address','state','city','country','pincode','dob']
def __str__(self):
return self.email
def has_perm(self, perm, obj=None):
"Does the user have a specific permission?"
# Simplest possible answer: Yes, always
return self.is_admin
def has_module_perms(self, app_label):
"Does the user have permissions to view the app `app_label`?"
# Simplest possible answer: Yes, always
return True
@property
def is_staff(self):
"Is the user a member of staff?"
# Simplest possible answer: All admins are staff
return self.is_admin
I want the admin user to access every user detail and the non-admin user to get access to its own detail only but Instead of this non-admin user is showing the full list of every user same as the admin user while implementing this. As I've shared my views.py, permissions.py, and models.py for the same.
I'm not sure whether the problem is in permisions.py or models.py as I'm new to Django.
I'm using Postman for API testing and this is working fine for the admin user but for an individual user, it's not working.
views.py
class UserListCreateAPIView(generics.ListCreateAPIView):
permission_classes = [IsStaffOrTargetUser]
queryset = User.objects.all()
serializer_class = UserSerializer
class UserRetrtieveUpdateDestroyAPIView(generics.RetrieveUpdateDestroyAPIView):
permission_classes = [IsStaffOrTargetUser]
queryset = User.objects.all()
serializer_class = UserSerializer
permissions.py
class IsStaffOrTargetUser(BasePermission):
def has_permission(self, request, view):
# allow user to list all users if logged in user is staff
return request.user or request.user.is_staff
def has_object_permission(self, request, view, obj):
# allow logged in user to view own details, allows staff to view all records
return request.user.is_staff or obj == request.user
models.py
class User(AbstractBaseUser):
email = models.EmailField(verbose_name='Email',max_length=255,unique=True)
name = models.CharField(max_length=200)
contact_number= models.IntegerField()
gender = models.IntegerField(choices=GENDER_CHOICES)
address= models.CharField(max_length=100)
state=models.CharField(max_length=100)
city=models.CharField(max_length=100)
country=models.CharField(max_length=100)
pincode= models.IntegerField()
dob = models.DateField(null= True)
# is_staff = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
is_admin = models.BooleanField(default=False)
created_at = models.DateTimeField(auto_now_add=True)
updated_at = models.DateTimeField(auto_now=True)
objects = UserManager()
USERNAME_FIELD = 'email'
REQUIRED_FIELDS = ['name','contact_number','gender','address','state','city','country','pincode','dob']
def __str__(self):
return self.email
def has_perm(self, perm, obj=None):
"Does the user have a specific permission?"
# Simplest possible answer: Yes, always
return self.is_admin
def has_module_perms(self, app_label):
"Does the user have permissions to view the app `app_label`?"
# Simplest possible answer: Yes, always
return True
@property
def is_staff(self):
"Is the user a member of staff?"
# Simplest possible answer: All admins are staff
return self.is_admin
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论