0
我使用Django和DRF,我想檢查,如果用戶(普通的),它已通過驗證之後,被允許查看它自己的配置文件,只有(沒有其他用戶的)。Django的REST框架限制用戶數據視圖管理員和在自己的用戶
serializers.py
class UserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = User
fields = ('id', 'url', 'username', 'password', 'email', 'groups', 'is_staff')
def create(self, validated_data):
user = super().create(validated_data)
user.set_password(validated_data['password'])
user.save()
return user
Views.py
class UserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows users to be viewed or edited.
"""
queryset = User.objects.all().order_by('-date_joined')
serializer_class = UserSerializer
permission_classes = (IsUser,)
permissions.py
class IsUser(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_permission(self, request, view, obj):
# View or Write permissions are only allowed to the owner of the snippet.
return obj.owner == request.user
此,OBV真的不行,因爲是錯的。但我無法弄清楚如何讓用戶查看:
http://127.0.0.1:8000/api/users/7
只有當它的管理員,或者同樣的用戶做了要求。
And: http://127.0.0.1:8000/api/users/ 只有當它是管理員。
謝謝!
完美。非常感謝。 – Martin