不同的方法,如POST和列表設置不同的權限我建立了一個Follow
模型來記錄社交網絡的行爲,並希望模擬以下操作。每個經過認證的用戶都可以跟隨其他人。如何使用Django REST框架的ListCreateAPIView
class Follow(models.Model):
user = models.ForeignKey(User)
follower = models.ForeignKey(User, related_name="followers")
follow_time = models.DateTimeField(auto_now_add=True, blank=True)
class Meta:
unique_together = ('user', 'follower')
def __unicode__(self):
return u'%s, %s' % (self.user.username, self.follower)
而且FollowSerializer
是:
class FollowSerializer(serializers.ModelSerializer):
class Meta:
model = Follow
field = ('user', 'follower', 'follow_time')
,我使用的觀點是:
class FollowingEnumByUserID(generics.ListCreateAPIView):
serializer_class = FollowSerializer
def get_queryset(self):
follower_id = self.kwargs['pk']
return Follow.objects.filter(follower=follower_id)
我對其進行註冊的網址爲:
url(r'^api/users/(?P<pk>[0-9]+)/following/$', views.FollowingEnumByUserID.as_view()),
每個已認證的用戶都可以查看下面的關係,沒有限制。但我想只允許經過身份驗證的用戶自行添加以下關係,這意味着應該有request.user == follower
。我怎樣才能做到這一點?
我想補充的FollowingDelete
視圖只允許用戶通過他/添加下面的關係自己。
所以我更新了url.py爲:
url(r'^api/users/(?P<pk>[0-9]+)/following/$', views.FollowingEnumByUserID.as_view()),
url(r'^api/users/(?P<pk>[0-9]+)/following/(?P<following_id>[0-9]+)/$', views.FollowingDelete.as_view()),
的許可,我現在用的就是:
class IsFollowerOrReadOnly(permissions.BasePermission):
"""
View-level permission to allow the follower to edit the following relation
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS:
return True
try:
follower = User.objects.get(id=view.kwargs["pk"])
except User.DoesNotExist:
#Reject any request for an invalid user
return False
return follower == request.user
和意見是:
class FollowingEnumByUserID(generics.ListCreateAPIView):
serializer_class = FollowSerializer
permission_class = (IsFollowerOrReadOnly)
def get_queryset(self):
"""
List all the people the input user is following
"""
follower_id = self.kwargs['pk']
return Follow.objects.filter(follower=follower_id)
class FollowingDelete(generics.DestroyAPIView):
serializer_class = FollowSerializer
permission_class = (IsAuthenticated, IsFollowerOrReadOnly)
def get_queryset(self):
user_id = self.kwargs['following_id']
follower_id = self.kwargs['pk']
return Follow.objects.filter(user=user_id, follower=follower_id)
現在的問題是:
權限類不起作用。
如何重寫
DestroyAPIView
,我應該重寫get_queryset
函數嗎?
嗨,@凱文,請問您是否可以回答上述問題? – Scofield77 2015-01-18 03:16:04
@ Scofield77乍看之下,您的修改後的代碼似乎應該適用於您正在嘗試執行的操作。我會推薦[創建一個新問題](https://stackoverflow.com/questions/ask),而不是修改這個問題,因爲它似乎是一個不同的問題。另外,歡迎來到Stack Overflow! – 2015-01-18 03:31:33