Django Rest Framework 和 Auth:如何覆盖 UserDetailsView
Django Rest Framework and Auth: How to override UserDetailsView
我将 django-rest-auth 用于我的自定义用户模型的 API 端点。获取用户详细信息后,我向 /rest-auth/user/ 发送 GET 请求。这适用于经过身份验证的用户,但对于标记为 403 Forbidden 错误的未经身份验证的用户来说是禁止的。
但是,我希望其他用户能够查看彼此的详细信息。我该如何更改?
这个测试证明了这个错误:
def test_get_user(self):
# /rest-auth/user/ (GET)
# params: username, first_name, last_name
# returns: pk, username, email, first_name, last_name
client = APIClient()
client.login(username=self.user2.username,
password=self.user2.password)
path = "/rest-auth/user/"
user_data = {
"username": self.username,
}
expected_response = {
"pk": self.id,
"username": self.username,
"email": self.email,
"first_name": '',
"last_name": '',
}
response = client.get(path, user_data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, expected_response)
编辑:
我试图覆盖 UserDetailsView 的权限,但未能正确执行。我该如何正确执行此操作?
from rest_auth import views
from rest_framework.permissions import IsAuthenticatedOrReadOnly
class CustomUserDetailsView(views.UserDetailsView):
permission_classes = (IsAuthenticatedOrReadOnly, )
django-rest-auth /rest-auth/user/ 只允许您获取经过身份验证的用户的详细信息。
class UserDetailsView(RetrieveUpdateAPIView):
"""
Reads and updates UserModel fields
Accepts GET, PUT, PATCH methods.
Default accepted fields: username, first_name, last_name
Default display fields: pk, username, email, first_name, last_name
Read-only fields: pk, email
Returns UserModel fields.
"""
serializer_class = UserDetailsSerializer
permission_classes = (IsAuthenticated,)
def get_object(self):
return self.request.user
def get_queryset(self):
"""
Adding this method since it is sometimes called when using
django-rest-swagger
https://github.com/Tivix/django-rest-auth/issues/275
"""
return get_user_model().objects.all()
如果您希望未经身份验证的用户读取您拥有的所有用户对象,请编写自己的视图。
serializers.py
User = get_user_model()
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = "__all__"
views.py
class UserDetailApiView(generics.RetrieveAPIView):
permission_classes = (IsAuthenticatedOrReadOnly,)
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
urls.py
path('api/users/<int:pk>',views.UserDetailApiView.as_view(),name='user')
我将 django-rest-auth 用于我的自定义用户模型的 API 端点。获取用户详细信息后,我向 /rest-auth/user/ 发送 GET 请求。这适用于经过身份验证的用户,但对于标记为 403 Forbidden 错误的未经身份验证的用户来说是禁止的。
但是,我希望其他用户能够查看彼此的详细信息。我该如何更改?
这个测试证明了这个错误:
def test_get_user(self):
# /rest-auth/user/ (GET)
# params: username, first_name, last_name
# returns: pk, username, email, first_name, last_name
client = APIClient()
client.login(username=self.user2.username,
password=self.user2.password)
path = "/rest-auth/user/"
user_data = {
"username": self.username,
}
expected_response = {
"pk": self.id,
"username": self.username,
"email": self.email,
"first_name": '',
"last_name": '',
}
response = client.get(path, user_data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, expected_response)
编辑: 我试图覆盖 UserDetailsView 的权限,但未能正确执行。我该如何正确执行此操作?
from rest_auth import views
from rest_framework.permissions import IsAuthenticatedOrReadOnly
class CustomUserDetailsView(views.UserDetailsView):
permission_classes = (IsAuthenticatedOrReadOnly, )
django-rest-auth /rest-auth/user/ 只允许您获取经过身份验证的用户的详细信息。
class UserDetailsView(RetrieveUpdateAPIView):
"""
Reads and updates UserModel fields
Accepts GET, PUT, PATCH methods.
Default accepted fields: username, first_name, last_name
Default display fields: pk, username, email, first_name, last_name
Read-only fields: pk, email
Returns UserModel fields.
"""
serializer_class = UserDetailsSerializer
permission_classes = (IsAuthenticated,)
def get_object(self):
return self.request.user
def get_queryset(self):
"""
Adding this method since it is sometimes called when using
django-rest-swagger
https://github.com/Tivix/django-rest-auth/issues/275
"""
return get_user_model().objects.all()
如果您希望未经身份验证的用户读取您拥有的所有用户对象,请编写自己的视图。
serializers.py
User = get_user_model()
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = "__all__"
views.py
class UserDetailApiView(generics.RetrieveAPIView):
permission_classes = (IsAuthenticatedOrReadOnly,)
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
urls.py
path('api/users/<int:pk>',views.UserDetailApiView.as_view(),name='user')