不要在 table 中显示工资 - Django 权限
Do not show salaries in the table - Django permissions
我有一个 table,其中显示了不同的费用,包括账单、租金、工资等,我想对我的员工隐藏工资,所以我在我的过滤器中添加了新的过滤器queryset 这需要限制他们,但当我用不同的用户测试它时,它仍然存在。
我不完全确定为什么会这样,所以有人可以解释一下我在这里做错了什么。谢谢!
这是我的习惯permission:
@staticmethod
def can_view_salaries(user):
return user.is_staff and user.has_perm('cms_expenses.can_view_salaries')
您可以看到我正在过滤的 restapi 视图。
class ExpenseViewSet(viewsets.ModelViewSet):
def get_queryset(self):
only_recurrent = self.request.query_params.get('recurrent', False)
queryset = models.Expense.objects.get_expenses_list(self.request.user)
if only_recurrent:
queryset = queryset.exclude(scheduled_recurrence__isnull=True)
if self.check_object_permissions(self.request.user, queryset):
queryset = ExpenseAccessService.can_view_salaries(self.request.user)
return queryset
serializer_class = ExpenseSerializer
filter_backends = (
filters.DjangoFilterBackend,
filters.SearchFilter,
filters.OrderingFilter
)
filter_fields = ('paid', 'generated',)
ordering_fields = (
'value', 'currency', 'category', 'attachment', 'created', 'scheduled_recurrence', 'paid',
'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
'description')
search_fields = (
'value', 'currency', 'category', 'attachment', 'created', 'paid',
'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
'description')
pagination_class = StandardResultsOffsetPagination
permission_classes = [
permissions.IsAuthenticated,
expenses_permissions.ExpensesPermissions
]
实际上,check_object_permissions() 不检查多对象权限
def check_object_permissions(self, request, obj):
"""
Check if the request should be permitted for a given object.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():
if not permission.has_object_permission(request, self, obj):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
而且,如果你想自定义 response.data ,你最好像这样覆盖 get_serializer_class :
def get_serializer_class(self):
if self.request.user.is_staff:
return StaffExpenseSerializer
if self.request.user.is_superuser:
return AdminExpenseSerializer
我发布这个问题的答案有点晚了,但有人可能会发现它很有用,所以在与我的朋友交谈并阅读 Daniela Roseman 暗示我想要的自定义权限后,为 stuff,我想出了这个解决方案:
class ExpenseViewSet(viewsets.ModelViewSet):
def get_queryset(self):
only_recurrent = self.request.query_params.get('recurrent', False)
queryset = models.Expense.objects.get_expenses_list(self.request.user)
if only_recurrent:
queryset = queryset.exclude(scheduled_recurrence__isnull=True)
if not ExpenseAccessService.can_view_salaries_and_commissions(self.request.user):
queryset = queryset.exclude(category__in=["salary", "commissions"])
return queryset
使用 django exclude 我在以后查看工资和佣金时限制了我的东西,我还想出了一个使用 complex lookups 和 Q 对象的解决方案,但是 exclude 更容易阅读。
我有一个 table,其中显示了不同的费用,包括账单、租金、工资等,我想对我的员工隐藏工资,所以我在我的过滤器中添加了新的过滤器queryset 这需要限制他们,但当我用不同的用户测试它时,它仍然存在。
我不完全确定为什么会这样,所以有人可以解释一下我在这里做错了什么。谢谢!
这是我的习惯permission:
@staticmethod
def can_view_salaries(user):
return user.is_staff and user.has_perm('cms_expenses.can_view_salaries')
您可以看到我正在过滤的 restapi 视图。
class ExpenseViewSet(viewsets.ModelViewSet):
def get_queryset(self):
only_recurrent = self.request.query_params.get('recurrent', False)
queryset = models.Expense.objects.get_expenses_list(self.request.user)
if only_recurrent:
queryset = queryset.exclude(scheduled_recurrence__isnull=True)
if self.check_object_permissions(self.request.user, queryset):
queryset = ExpenseAccessService.can_view_salaries(self.request.user)
return queryset
serializer_class = ExpenseSerializer
filter_backends = (
filters.DjangoFilterBackend,
filters.SearchFilter,
filters.OrderingFilter
)
filter_fields = ('paid', 'generated',)
ordering_fields = (
'value', 'currency', 'category', 'attachment', 'created', 'scheduled_recurrence', 'paid',
'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
'description')
search_fields = (
'value', 'currency', 'category', 'attachment', 'created', 'paid',
'scheduled_recurrence__interval', 'scheduled_recurrence__next_occurrence', 'payment_proof',
'description')
pagination_class = StandardResultsOffsetPagination
permission_classes = [
permissions.IsAuthenticated,
expenses_permissions.ExpensesPermissions
]
实际上,check_object_permissions() 不检查多对象权限
def check_object_permissions(self, request, obj):
"""
Check if the request should be permitted for a given object.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():
if not permission.has_object_permission(request, self, obj):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
而且,如果你想自定义 response.data ,你最好像这样覆盖 get_serializer_class :
def get_serializer_class(self):
if self.request.user.is_staff:
return StaffExpenseSerializer
if self.request.user.is_superuser:
return AdminExpenseSerializer
我发布这个问题的答案有点晚了,但有人可能会发现它很有用,所以在与我的朋友交谈并阅读 Daniela Roseman 暗示我想要的自定义权限后,为 stuff,我想出了这个解决方案:
class ExpenseViewSet(viewsets.ModelViewSet):
def get_queryset(self):
only_recurrent = self.request.query_params.get('recurrent', False)
queryset = models.Expense.objects.get_expenses_list(self.request.user)
if only_recurrent:
queryset = queryset.exclude(scheduled_recurrence__isnull=True)
if not ExpenseAccessService.can_view_salaries_and_commissions(self.request.user):
queryset = queryset.exclude(category__in=["salary", "commissions"])
return queryset
使用 django exclude 我在以后查看工资和佣金时限制了我的东西,我还想出了一个使用 complex lookups 和 Q 对象的解决方案,但是 exclude 更容易阅读。