如何使用令牌身份验证对 Post 请求进行身份验证?
How can I authenticate a Post Request with Token Authentication?
现在我可以成功验证补丁、获取和删除,因此只有有权访问 object 的用户才能执行此操作。但我有一个简单的问题:
- 如何验证 POST 请求?
例如:
用户应该只能创建链接到文章的 ArticleImage 如果他们的两个作者是相同的,所以如果用户 1 是所有者,用户 2 不能添加 object 到文章。
而且我们还想确保用户 2 不能以用户 1 的名义进行 POST 请求。
Model.py
class Article(models.Model):
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
author = models.ForeignKey(User,on_delete=models.CASCADE,related_name='articles')
caption = models.CharField(max_length=250)
class ArticleImage(models.Model):
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
image = models.FileField(upload_to='images',null=True,blank=True, validators=[validate_file_extension])
article = models.ForeignKey(Article, on_delete=models.CASCADE,null=True,blank=True, related_name='articleimages')
author = models.ForeignKey(User,on_delete=models.CASCADE,related_name='articleimages')
View.py
class ArticleImageViewSet(viewsets.ModelViewSet):
permission_classes = (IsAuthenticated,)
queryset = ArticleImage.objects.all()
serializer_class = ArticleImageSerializer
filter_backends = [ArticleFilterBackend]
Filter.py
class ArticleFilterBackend(filters.BaseFilterBackend):
def filter_queryset(self, request, queryset, view):
return queryset.filter(article__author=request.user)
更新:Serializer.py
class ArticleImageSerializer(serializers.ModelSerializer):
class Meta:
model = ArticleImage
fields = ('id','image','article')
class ArticleSerializer(serializers.ModelSerializer):
articleimages_set = ArticleImageSerializer(source='articleimages',required=False,many=True)
class Meta:
model = Article
fields = ('id','author','caption','articleimages_set')
更新 2:
Post请求
'article':'articleid',
'image':'image.path',
Headers
'Content-Type': 'application/json',"Authorization" : "Token $token"
它曾经在没有 def validate()
的情况下工作。
现在我得到 'Article object (385395ec-dec8-472f-973f-b4f27755a658)” is not a valid UUID'.
您可以在序列化程序中执行类似的操作:
from rest_framework.exceptions import ValidationError
class ArticleImageSerializer(serializers.ModelSerializer):
class Meta:
model = ArticleImage
fields = ('id','image','article')
def validate(self, attrs):
attrs = super().validate(attrs)
if attrs['article'].author != self.context['request'].user:
raise ValidationError('Article does not belong to current user')
return attrs
在序列化程序中,您可以通过 self.context['request']
访问 request
,这意味着您可以将文章的作者与当前用户进行比较,即 self.context['request'].user
.
现在我可以成功验证补丁、获取和删除,因此只有有权访问 object 的用户才能执行此操作。但我有一个简单的问题: - 如何验证 POST 请求? 例如: 用户应该只能创建链接到文章的 ArticleImage 如果他们的两个作者是相同的,所以如果用户 1 是所有者,用户 2 不能添加 object 到文章。 而且我们还想确保用户 2 不能以用户 1 的名义进行 POST 请求。
Model.py
class Article(models.Model):
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
author = models.ForeignKey(User,on_delete=models.CASCADE,related_name='articles')
caption = models.CharField(max_length=250)
class ArticleImage(models.Model):
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
image = models.FileField(upload_to='images',null=True,blank=True, validators=[validate_file_extension])
article = models.ForeignKey(Article, on_delete=models.CASCADE,null=True,blank=True, related_name='articleimages')
author = models.ForeignKey(User,on_delete=models.CASCADE,related_name='articleimages')
View.py
class ArticleImageViewSet(viewsets.ModelViewSet):
permission_classes = (IsAuthenticated,)
queryset = ArticleImage.objects.all()
serializer_class = ArticleImageSerializer
filter_backends = [ArticleFilterBackend]
Filter.py
class ArticleFilterBackend(filters.BaseFilterBackend):
def filter_queryset(self, request, queryset, view):
return queryset.filter(article__author=request.user)
更新:Serializer.py
class ArticleImageSerializer(serializers.ModelSerializer):
class Meta:
model = ArticleImage
fields = ('id','image','article')
class ArticleSerializer(serializers.ModelSerializer):
articleimages_set = ArticleImageSerializer(source='articleimages',required=False,many=True)
class Meta:
model = Article
fields = ('id','author','caption','articleimages_set')
更新 2:
Post请求
'article':'articleid',
'image':'image.path',
Headers
'Content-Type': 'application/json',"Authorization" : "Token $token"
它曾经在没有 def validate()
的情况下工作。
现在我得到 'Article object (385395ec-dec8-472f-973f-b4f27755a658)” is not a valid UUID'.
您可以在序列化程序中执行类似的操作:
from rest_framework.exceptions import ValidationError
class ArticleImageSerializer(serializers.ModelSerializer):
class Meta:
model = ArticleImage
fields = ('id','image','article')
def validate(self, attrs):
attrs = super().validate(attrs)
if attrs['article'].author != self.context['request'].user:
raise ValidationError('Article does not belong to current user')
return attrs
在序列化程序中,您可以通过 self.context['request']
访问 request
,这意味着您可以将文章的作者与当前用户进行比较,即 self.context['request'].user
.