我有一个模型Application,它有字段applicant = ForeignKey('User'...)和coapplicant = ForeignKey('User'...)。
还有一个具有字段CCD_ 5的模型CCD_。
如果A和B通过Application建立关系,我想允许用户A创建、编辑、删除用户B的Income对象。
这意味着:
如果存在这样的Application对象,其中A是申请人并且B是共同申请人或者A是共同申请人并且B是申请人,则用户A可以CRUD用户B的收入,反之亦然。
你知道怎么做吗?
您可以编写这样的自定义权限:
from django.db.models import F
class IsOwnerOrCoapplicant(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `owner` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
if obj.user == request.user:
return True
# If application with both users exists return true,
# exclude cases when applicant and coapplicant are the same just in case
if Application.objects.filter(applicant__in=[obj.user, request.user], coapplicant__in=[obj.user, request.user]).exclude(applicant=F('coapplicant')).exists()
return True
return False
您可以使用Application模型定义用户a和其他用户(如B(之间的多对多关系(从现在起我将称之为共同应用程序。(。和Django通过字段
例如:
from Django import models
class User(models.Model):
...
....
coapplicants = models.ManyToManyField(
'User',
through='Application',
through_fields=('applicant', 'coapplicant'),
)
class Application(models.Model):
applicant= models.ForeignKey('User',...)
coapplicant = models.ForeignKey('User'...)
如果希望A和B都处于此关系中,则只需在through_fields中使用applicant或coapplicant中的一个即可。查看此处的文档
既然已经定义了它们之间的关系,就可以使用Django rest对象权限授予用户B编辑属于用户A的Income对象的访问权限。此处的文档
from rest_framework import permissions
class IsOwnerOrCoapplicant(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
# assuming Income instance has an attribute named `owner`.
return obj.owner == request.user or request.user.coapplicants.filter(id=obj.owner.id).exists()
如果将此权限添加到使用Income对象的ViewSet,则传递给has_object_permission函数的obj参数就是Income实例。