我正在使用 Django Rest Framework 和 django-guardian(针对每个对象权限),使用实例返回对象权限的最佳方法是什么。
例如现在请求“/api/v1/objects/”返回:
{
"id":0,
"category": "string",
"name": "string",
"address": "string",
}
但我想返回具有权限的对象:
{
"id":0,
"category": "string",
"name": "string",
"address": "string",
"permissions":
{
"change": true,
"delete": true
}
}
这将很有用,例如,如果用户无权删除对象,则在前端不显示删除按钮。
下面是项目结构:
#Model
class Object(models.Model):
owner = models.ForeignKey(User)
category = models.ForeignKey(Category, null=True, default=None)
name = models.CharField(max_length=255)
address = models.CharField(max_length=255, default='')
#Serializer
class ObjectSerializer(ModelSerializer):
is_folder = BooleanField(read_only=True)
class Meta:
model = Object
fields = ('id', 'category', 'is_folder', 'name', 'address')
#ViewSet
class ObjectsViewSet(BaseViewSet, RetrieveModelMixin, ListModelMixin, CreateModelMixin, UpdateModelMixin,
DestroyModelMixin):
queryset = Object.objects
serializer_class = ObjectSerializer
permission_classes = (permissions.IsAuthenticatedOrReadOnly, ObjectPermission)
def get_queryset(self):
queryset = super(ObjectsViewSet, self).get_queryset()
return queryset.filter(owner=self.request.user)
#Permission
class ObjectPermission(permissions.BasePermission):
def has_permission(self, request, view):
if request.method in ['GET']:
return request.user.has_perm('view_object')
if request.method in ['POST']:
return request.user.has_perm('add_object')
if request.method in ['PUT', 'PATCH']:
return request.user.has_perm('change_object')
if request.method in ['DELETE']:
return request.user.has_perm('delete_object')
return False
def has_object_permission(self, request, view, obj):
if request.method in ['GET']:
return request.user.has_perm('view_object', obj)
if request.method in ['PUT', 'PATCH']:
return request.user.has_perm('change_object', obj)
if request.method in ['DELETE']:
return request.user.has_perm('delete_object', obj)
return False