根据 django rest 框架中的身份验证方法使用不同的序列化程序
Use different serializer depending on the authentication method in django rest framework
我正在尝试在 django rest 框架中实现用户配置文件。
用户应该能够请求其他用户的个人资料;但是,由于配置文件包含敏感信息,我想在请求配置文件时限制返回给非所有者和未经身份验证的用户的信息。
我正在寻找可以在我的视图方法中 运行 确定用于该请求的序列化程序的测试。
我该怎么做?
# models.py
class Profile(models.Model):
user = models.OneToOneField(settings.AUTH_USER_MODEL, related_name='profile')
bio = models.CharField(max_length=100)
# dob is sensitive and should be protected...
dob = models.DateTimeField(blank=True, null=True)
我的序列化器看起来像这样:
# serializers.py
# Only for the owner...
class ProfileOwnerSerializer(serializers.HyperlinkedModelSerializer):
user = serializers.ReadOnlyField(source='user.id')
first_name = serializers.ReadOnlyField(source='user.first_name')
last_name = serializers.ReadOnlyField(source='user.last_name')
class Meta:
model = Profile
fields = (
'url',
'id',
'dob', #sensitive
'user',
'first_name',
'last_name', #sensitive
)
#For logged in users...
class ProfileSerializer(serializers.HyperlinkedModelSerializer):
user = serializers.ReadOnlyField(source='user.id')
first_name = serializers.ReadOnlyField(source='user.first_name')
class Meta:
model = Profile
fields = (
'url',
'id',
'bio',
'user',
'first_name',
)
#For everyone else...
class NonAuthProfileSerializer:
...
我会在这里尝试区分它们...
# views.py
class ProfileDetail(APIView):
"""
Retrieve a profile instance.
"""
# Can't user permission_classes bc I want to cater to different classes...
def get_object(self, pk):
try:
return Profile.objects.get(pk=pk)
except Profile.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
profile = self.get_object(pk)
# is_owner = ???
# is_authenticated = ???
# Define the serializer to be ProfileSerializer, ProfileOwnerSerializer, etc.
serializer = CorrectSerializer(
profile,
context={"request": request},
)
return Response(serializer.data)
我认为检查请求是否由所有者发送并不难,因为我可以交叉引用配置文件 ID。
但是,如何检查用户是否已登录?我试过在视图方法中查看 request.user.auth,但这似乎是 None 无论请求是否已登录。
我认为你应该检查 request.user.is_authenticated()。填空:
is_owner = profile.user == request.user
is_authenticated = request.user.is_authenticated()
我正在尝试在 django rest 框架中实现用户配置文件。
用户应该能够请求其他用户的个人资料;但是,由于配置文件包含敏感信息,我想在请求配置文件时限制返回给非所有者和未经身份验证的用户的信息。
我正在寻找可以在我的视图方法中 运行 确定用于该请求的序列化程序的测试。
我该怎么做?
# models.py
class Profile(models.Model):
user = models.OneToOneField(settings.AUTH_USER_MODEL, related_name='profile')
bio = models.CharField(max_length=100)
# dob is sensitive and should be protected...
dob = models.DateTimeField(blank=True, null=True)
我的序列化器看起来像这样:
# serializers.py
# Only for the owner...
class ProfileOwnerSerializer(serializers.HyperlinkedModelSerializer):
user = serializers.ReadOnlyField(source='user.id')
first_name = serializers.ReadOnlyField(source='user.first_name')
last_name = serializers.ReadOnlyField(source='user.last_name')
class Meta:
model = Profile
fields = (
'url',
'id',
'dob', #sensitive
'user',
'first_name',
'last_name', #sensitive
)
#For logged in users...
class ProfileSerializer(serializers.HyperlinkedModelSerializer):
user = serializers.ReadOnlyField(source='user.id')
first_name = serializers.ReadOnlyField(source='user.first_name')
class Meta:
model = Profile
fields = (
'url',
'id',
'bio',
'user',
'first_name',
)
#For everyone else...
class NonAuthProfileSerializer:
...
我会在这里尝试区分它们...
# views.py
class ProfileDetail(APIView):
"""
Retrieve a profile instance.
"""
# Can't user permission_classes bc I want to cater to different classes...
def get_object(self, pk):
try:
return Profile.objects.get(pk=pk)
except Profile.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
profile = self.get_object(pk)
# is_owner = ???
# is_authenticated = ???
# Define the serializer to be ProfileSerializer, ProfileOwnerSerializer, etc.
serializer = CorrectSerializer(
profile,
context={"request": request},
)
return Response(serializer.data)
我认为检查请求是否由所有者发送并不难,因为我可以交叉引用配置文件 ID。
但是,如何检查用户是否已登录?我试过在视图方法中查看 request.user.auth,但这似乎是 None 无论请求是否已登录。
我认为你应该检查 request.user.is_authenticated()。填空:
is_owner = profile.user == request.user
is_authenticated = request.user.is_authenticated()