7

当我收到POST关于 Django REST 框架APIView类的请求时,我想过滤/验证传递的参数以防止它们被修改。例如,对于这个序列化程序:

class MediaSerializer(serializers.ModelSerializer):
    class Meta:
        model = Media
        fields = ('id', 'title', 'content', 'url', 'createdByUser', 'karma', 'type', 'issue', 'creationDate', 'updatedDate')

不应修改某些参数,例如id,creationDate或。createdByUser所以对于我的课,class MediaDetail(APIView)我有:

def validateRequest(self):
        user = self.request.data.get('createdByUser', None)
        karma = self.request.data.get('karma', None)
        creationDate = self.request.data.get('creationDate', None)

        if user is not None or karma is not None or creationDate is not None:
            return Response(status=status.HTTP_400_BAD_REQUEST)

@method_decorator(login_required)
def post(self, request, pk, format=None):
        self.validateRequest()
        media = self.get_object(pk)
        self._throwIfNotMediaAuthor(media, request.user)

        serializer = MediaSerializer(media, data=request.data)

        if serializer.is_valid():
            # serializer.save()
            return Response(serializer.data)
        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

有没有更好的方法来进行此验证?也许在序列化器上?我找不到足够的文档。

4

1 回答 1

1

是的,您可以read_only_fields在序列化程序的Meta.

关于如何在当前视图中使用的示例(假设您想POST根据REST 的指南创建对象时对其进行了一些修改):

class MediaSerializer(serializers.ModelSerializer):
    class Meta:
        model = Media
        read_only_fields = ('id', 'karma', 'createdByUser', 'creationDate')
        ...

@method_decorator(login_required)
def post(self, request, pk, format=None):
        serializer = MediaSerializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        serializer.save(createdByUser=request.user, creationDate=timezone.now().date(), karma=initial_value)
        return Response(serializer.data, status=status.HTTP_201_CREATED)
于 2019-02-25T13:23:30.237 回答