我在想,当涉及到Django Rest Framework时,最佳实践是什么。我一直通过使用不同的序列化程序(针对员工、帐户所有者和其他任何人)和HTTP方法来限制更改帐户某些属性的访问,但我觉得这太不符合Python风格了。
这是否是实现将对象的不同字段的“权限”分离出来的最佳方法?还是有更好、更符合Python风格的方法来完成我目前所做的事情?
我接受以下代码的任何批评,因为我觉得我有些地方偷懒了。
非常感谢。
from rest_framework import serializers, viewsets
from rest_framework.permissions import SAFE_METHODS
from accounts.models import User
from cpapi.permissions import *
class UserSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = User
fields = ('id', 'url', 'username', 'password')
write_only_fields = ('password',)
def restore_object(self, attrs, instance=None):
user = super(UserSerializer, self).restore_object(attrs, instance)
if 'password' in attrs.keys():
user.set_password(attrs['password'])
return user
class UserDetailsSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'username', 'password', 'email')
class UserListSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'username')
class UserWithoutNameSerializer(UserSerializer):
class Meta(UserSerializer.Meta):
fields = ('id', 'url', 'password', 'email')
class UserViewSet(viewsets.ModelViewSet):
"""
API endpoint that allows users to be viewed or edited.
"""
serializer_class = UserSerializer
model = User
def get_serializer_class(self): # Modify to allow different information for different access (userlist vs staff)
serializer_class = self.serializer_class
if 'List' in self.get_view_name():
serializer_class = UserListSerializer
elif self.request.method in ['PUT', 'PATCH']:
serializer_class = UserWithoutNameSerializer
elif self.get_object() == self.request.user or self.request.user.is_staff:
serializer_class = UserDetailsSerializer
return serializer_class
def get_permissions(self):
if self.request.method in SAFE_METHODS or self.request.method == 'POST':
return [AllowAny()]
elif self.request.method == 'DELETE':
return [IsAdminUser()]
else:
return [IsStaffOrTargetUser()]