我想为一个视图创建一个权限,以验证用户是商店的所有者还是管理员。我已经创建了两个权限,当分别调用时,它们工作得很好,检查一个用户是管理员,另一个用户是否是商店的所有者。我现在想做一个全局条件,验证是否满足这两个条件中的一个。
以下是我的出发条件:
utils.py
class IsOwner(BasePermission):
"""
Check if the user who made the request is owner.
Use like that : permission_classes = [IsOwner]
"""
def has_permission(self, request, view):
return request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
try:
user_shop = UserShop.objects.get(user=request.user, shop=obj)
return True
except:
return False
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
class OwnerView(GenericAPIView):
"""
Check if a user is owner
"""
permission_classes = (IsOwner,)
class AdminView(APIView):
"""
Check if a user is admin
"""
permission_classes = (IsAdmin,)
这是我试图做的功能:
class AdminOrOwnerView(GenericAPIView):
"""
Check if a user is admin or owner
"""
permission_classes = ( IsOwner|IsAdmin,)
目前,这个条件允许任何登录的用户使用我的视图
这是我的观点:
视图.py
class ShopDetail(AdminOrOwnerView):
"""Edit ou delete a shop"""
queryset = Shop.objects.all()
lookup_field = 'path'
def put(self, request, path):
"""For admin or shop owner to edit a shop"""
shop = self.get_object()
serializer = ShopSerializer(shop, data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
return Response(serializer.errors)
提前感谢您对的帮助
您使用组合了这两个权限
permission_classes = ( IsOwner|IsAdmin,)
首先调用has_permission
,这是成功的,因为在这种情况下,IsOwner
为登录用户返回True
。接下来,当调用has_object_permission
时,这再次成功,因为这一次IsAdmin
返回True
(因为您还没有在那里实现任何东西(。
一种解决方案是再次明确检查用户是否是has_object_permission
中IsAdmin
:的管理员
class IsAdmin(BasePermission):
"""
Check if the user who made the request is admin.
Use like that : permission_classes = [IsAdmin]
"""
def has_permission(self, request, view):
if not 'Authorization' in request.headers:
return False
else:
return request.user.is_admin
def has_object_permission(self, request, view, obj):
return self.has_permission(request, view) # reuse `has_permission`