首先,編寫你自己的認證類。在此課程中,檢查用戶是否爲查看器。如果是,返回False。
class MyAuthentication(BasicAuthentication):
def is_authenticated(self, request, **kwargs):
is_authenticated = super(MyAuthentication, self).is_authenticated(request, **kwargs)
if not is_authenticated:
return False
return request.user.user_type_category != 'viewer'
其次,寫你自己的授權類。在這個類中覆蓋函數[create|update|delete]_[list|detail]
和創建/刪除函數檢查用戶是否爲用戶。如果是,則提出例外(詳情)或返回[]
(在列表中)。在更新中檢查用戶是否自行更新。如果不是,則引發異常或返回[]
。
class MyAuthorization(DjangoAuthorization):
def create_detail(self, object_list, bundle):
super(MyAuthorization, self).create_detail(object_list, bundle)
if bundle.request.user.user_type_category != 'admin':
raise Unauthorized("You are not allowed to create that resource.")
return True
def create_list(self, object_list, bundle):
if bundle.request.user.user_type_category != 'admin':
return []
return super(MyAuthorization, self).create_list(object_list, bundle)
def delete_detail(self, object_list, bundle):
super(MyAuthorization, self).delete_detail(object_list, bundle)
if bundle.request.user.user_type_category != 'admin':
raise Unauthorized("You are not allowed to delete that resource.")
return True
def delete_list(self, object_list, bundle):
if bundle.request.user.user_type_category != 'admin':
return []
return super(MyAuthorization, self).delete_list(object_list, bundle)
def update_detail(self, object_list, bundle):
super(MyAuthorization, self).delete_detail(object_list, bundle)
if bundle.request.user != bundle.obj:
raise Unauthorized("You are not allowed to update that resource.")
return True
def update_list(self, object_list, bundle):
object_list = super(MyAuthorization, self).update_list(object_list, bundle)
if object_list.count() == object_list.filter(pk=bundle.obj.pk).count():
return object_list
return []