https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions

 

from django.shortcuts import render

from rest_framework import mixins,viewsets
from .serializers import UserFavSerializer
from .models import UserFav
from rest_framework.permissions import IsAuthenticated
# Create your views here.
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Object-level permission to only allow owners of an object to edit it.
    Assumes the model instance has an `owner` attribute.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Instance must have an attribute named `owner`.
        return obj.user == request.user

class UserFavSetview(mixins.CreateModelMixin,mixins.ListModelMixin,
                     mixins.DestroyModelMixin,viewsets.GenericViewSet):
    permission_classes = (IsAuthenticated,IsOwnerOrReadOnly) #需登陆和需要是拥有者
    serializer_class = UserFavSerializer
    # queryset = UserFav.objects.all()
    def get_queryset(self):
        return UserFav.objects.filter(user=self.request.user)

PS:可以在view中配置authtication_classes,来指明特定的接口需要授权

posted on 2019-04-06 15:28  chester·chen  阅读(801)  评论(0编辑  收藏  举报