def get_permissions(self): if self.action not in ['update', 'partial_update', 'destroy']: return [AllowAny()] return [IsAuthenticated()]
class StoryViewSet(viewsets.GenericViewSet): queryset = Story.objects.all() serializer_class = StorySerializer permission_classes = (IsAuthenticated(), ) cache_story_page1_key = 'story:list-1' cache_story_main_key = 'story:main' cache_story_trending_key = 'story:trending' cache_timeout = 60 cache_timeout_long = 600 def get_serializer_class(self): if self.action in ('list', 'main', 'trending'): return SimpleStorySerializer elif self.action in ('comment', 'comment_list'): return CommentSerializer return self.serializer_class def get_permissions(self): if self.action in ('retrieve', 'list', 'comment_list', 'main', 'trending'): return (AllowAny(), ) elif self.request.method.lower() == 'options': return (AllowAny(), ) # Allow CORS preflight request return self.permission_classes def get_pagination_class(self): if self.action in ('comment', 'comment_list'): return CommentPagination return StoryPagination pagination_class = property(fget=get_pagination_class) def create(self, request): serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) serializer.save() return Response(serializer.data, status=status.HTTP_201_CREATED) def update(self, request, pk=None): story = self.get_object() if story.writer != request.user: return Response({'error': "You can't edit others' story"}, status=status.HTTP_403_FORBIDDEN) serializer = self.get_serializer(story, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.update(story, serializer.validated_data) return Response(serializer.data) def retrieve(self, request, pk=None): story = self.get_object() if story.published or story.writer == request.user: return Response(self.get_serializer(story).data) return Response({'error': "This story is not published yet"}, status=status.HTTP_404_NOT_FOUND) def list(self, request): queryset = self.get_queryset(). \ filter(published=True). \ order_by('-published_at'). \ defer('body'). \ select_related('writer'). \ prefetch_related('writer__userprofile') is_cacheable = True if 'title' in request.query_params: title = request.query_params.get('title') queryset = queryset.filter(title__icontains=title) is_cacheable = False if 'tag' in request.query_params: return Response({'error': 'tag query is not implemented'}, status=status.HTTP_501_NOT_IMPLEMENTED) # is_cacheable = False if is_cacheable: queryset = queryset.filter(main_order=None, trending_order=None) if is_cacheable and request.query_params.get('page', 1) in (1, '1'): cached_data = cache.get(self.cache_story_page1_key) if cached_data is None: page = self.paginate_queryset(queryset) assert page is not None serializer = self.get_serializer(page, many=True) response = self.get_paginated_response(serializer.data) data = response.data cache.set(self.cache_story_page1_key, data, timeout=self.cache_timeout) return response else: data = cached_data return Response(data) page = self.paginate_queryset(queryset) assert page is not None serializer = self.get_serializer(page, many=True) return self.get_paginated_response(serializer.data) @action(methods=['GET'], detail=False) def main(self, request): cached_data = cache.get(self.cache_story_main_key) if cached_data is None: queryset = self.get_queryset(). \ filter(published=True). \ filter(main_order__gte=1, main_order__lte=5). \ order_by('main_order'). \ defer('body'). \ select_related('writer'). \ prefetch_related('writer__userprofile') data = self.get_serializer(queryset, many=True).data cache.set(self.cache_story_main_key, data, timeout=self.cache_timeout_long) else: data = cached_data return Response(data) @action(methods=['GET'], detail=False) def trending(self, request): cached_data = cache.get(self.cache_story_trending_key) if cached_data is None: queryset = self.get_queryset(). \ filter(published=True). \ filter(trending_order__gte=1, trending_order__lte=6). \ order_by('trending_order'). \ defer('body'). \ select_related('writer'). \ prefetch_related('writer__userprofile') data = self.get_serializer(queryset, many=True).data cache.set(self.cache_story_trending_key, data, timeout=self.cache_timeout_long) else: data = cached_data return Response(data) @action(methods=['POST'], detail=True) def publish(self, request, pk=None): story = self.get_object() if story.writer != request.user: return Response({'error': "You can't publish others' story"}, status=status.HTTP_403_FORBIDDEN) if story.published: story.published_at = None story.published = False else: story.published_at = timezone.now() story.published = True story.save() return Response(self.get_serializer(story).data) def destroy(self, request, pk=None): story = self.get_object() if story.writer != request.user: return Response({'error': "You can't delete others' story"}, status=status.HTTP_403_FORBIDDEN) story.delete() return Response(status=status.HTTP_204_NO_CONTENT) @action(methods=['POST', 'PUT', 'DELETE'], detail=True) def comment(self, request, pk=None): if pk is None: return Response({'error': "Primary key is required"}, status=status.HTTP_400_BAD_REQUEST) story = self.get_queryset().only('published').get(pk=pk) if not story.published: return Response({'error': "This story is not published yet"}, status=status.HTTP_404_NOT_FOUND) if request.method == 'POST': serializer = CommentSerializer(data=request.data, context={ 'story': story, 'user': request.user }) serializer.is_valid(raise_exception=True) serializer.save() return Response(serializer.data, status=status.HTTP_201_CREATED) else: # When method is PUT or DELETE if 'id' not in request.query_params: return Response({'error': "comment id is required"}, status=status.HTTP_400_BAD_REQUEST) try: comment = story.comments.get(id=request.query_params.get('id')) except StoryComment.DoesNotExist: return Response( { 'error': "Comments with this id do not exist in this story." }, status=status.HTTP_400_BAD_REQUEST) if comment.writer != request.user: return Response({'error': "This is not your comment"}, status=status.HTTP_403_FORBIDDEN) if request.method == 'PUT': serializer = self.get_serializer(comment, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.update(comment, serializer.validated_data) return Response(serializer.data) elif request.method == 'DELETE': comment.delete() return Response(status=status.HTTP_204_NO_CONTENT) @comment.mapping.get def comment_list(self, request, pk=None): story = self.get_queryset().only('published').get(pk=pk) if not story.published: return Response({'error': "This story is not published yet"}, status=status.HTTP_404_NOT_FOUND) queryset = story.comments.all(). \ order_by('created_at'). \ select_related('writer'). \ select_related('writer__userprofile') page = self.paginate_queryset(queryset) assert page is not None serializer = self.get_serializer(page, many=True) return self.get_paginated_response(serializer.data)
def has_permission(self, request, view): if IsAuthenticated().has_permission( request, view) and request.method in self.SAFE_METHODS: return True return IsAdminUser().has_permission(request, view)
def get_permissions(self): if self.action == 'list': return [AllowAny()] return [IsAuthenticated()]
def get_permissions(self): if self.action in ['create', 'update', 'partial_update', 'destroy']: return [IsAuthenticated(), IsAdminUser()] return []
def get_permissions(self): if self.action in ['create', 'update', 'destroy']: return [IsAdminUser()] if self.action in ['list', 'retrieve']: return [IsAuthenticated()] return [IsAdminUser()]
def get_permissions(self): permissions = super().get_permissions() if self.request.method in ["POST", "DELETE", "PUT", "PATCH"]: permissions.append(IsAuthenticated()) return permissions
def get_permissions(self): if self.action == "create": return [IsAuthenticated()] return super().get_permissions()
def get_permissions(self): if self.action == "list": return [IsAuthenticated()] if self.action == "retrieve": return [IsAuthenticated(), UserIsSelf()] if self.action == "update": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "create": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "create_multiple": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "reset_password": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "reset_password_multiple": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "set_inactive": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "set_inactive_multiple": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "set_active": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "set_active_multiple": return [IsAuthenticated(), UserIsSuperUser()] if self.action == "set_avatar": return [IsAuthenticated(), UserIsSelf()] if self.action == "remove_avatar": return [IsAuthenticated(), UserIsSelf()] if self.action == "get_face_list": return [IsAuthenticated()] if self.action == "set_face": return [IsAuthenticated(), UserIsSelf()] if self.action == "get_info_self": return [IsAuthenticated()] if self.action == "change_password_admin": return [IsAuthenticated(), UserIsSuperUser()] return []
def get_permissions(self): if self.request.method == "GET": return AllowAny(), else: return IsAuthenticated(),
def get_permissions(self): if self.action in ("make", ): return (IsAuthenticated(), ) return (AllowAny(), )
def get_permissions(self): if self.method in ('get', 'post'): return [IsAuthenticated()] return [HasStoreProfile()]
def get_permissions(self): """获取权限""" if self.is_action: return [IsAdminUser(), IsAuthenticated()] else: return []
def has_permission(self, request, view): if not IsAuthenticated().has_permission(request, view): return False return (UserProjectsListing().has_permission(request, view) or PublicDetailPrivateListing().has_permission(request, view))
def get_permissions(self): if self.action == 'create' and self.action == 'retrieve': return (AllowAny(),) else: #return (AllowAny(),) return (IsAuthenticated(),UserPermission())
def get_permissions(self): if self.action == "check_old_email": return [IsAuthenticated()] if self.action == "send_old_email_captcha": return [IsAuthenticated()] if self.action == "confirm_old_email_captcha": return [IsAuthenticated()] if self.action == "change_mobile": return [IsAuthenticated()] if self.action == "change_password": return [IsAuthenticated()] if self.action == "send_new_email_captcha": return [IsAuthenticated()] if self.action == "change_email": return [IsAuthenticated()] if self.action == "check_account_password": return [IsAuthenticated()] if self.action == "send_bind_email_captcha": return [IsAuthenticated()] if self.action == "bind_email": return [IsAuthenticated()] return [IsAuthenticated()]
def get_permissions(self): if self.request.method == 'GET': return [AllowAny(), ] else : return [IsAuthenticated(), ]
def get_permissions(self): request_method = self.request.method if request_method == 'POST': return (IsAdminUser(), IsVerified()) else: return (IsAuthenticated(), IsVerified())
def get_permissions(self): if self.action == 'destroy': return [IsAuthenticated()] else: return []
def get_permissions(self): if self.action in self.allowed_actions: return (AllowAny(),) if self.action in self.auth_actions or self.request.method in self.auth_methods: return (IsAuthenticated(),) return super(Users, self).get_permissions()
def get_permissions(self): if self.authenticate_permission_path and ( get_end_url_path(self.request.path) in self.authenticate_permission_path): return [IsAuthenticated()] return super().get_permissions()
def get_permissions(self): # Anyone can view tweets but only authenticated user can do other things if self.action == 'list': return [AllowAny()] return [IsAuthenticated()]
class UserViewSet(viewsets.GenericViewSet): queryset = User.objects.all() permission_classes = (IsAuthenticated(),) def get_permissions(self): if self.action in ("create", "login", "retrieve"): return (AllowAny(),) return self.permission_classes def get_serializer_class(self): if self.action in ("create", "update"): return UserSerializer return UserProfileSerializer @transaction.atomic def create_github_user(self, request): github_data = get_github_data(request.data.get("github_token")) if github_data is None or github_data.get("id") is None: return Response( {"message": "Invalid github token"}, status=status.HTTP_400_BAD_REQUEST ) github_id = int(github_data["id"]) if UserProfile.objects.filter(github_id=github_id).exists(): return Response( {"message": "User already signed up"}, status=status.HTTP_400_BAD_REQUEST, ) user = User.objects.create_user( username=f"{GITHUB}_{github_id}", password="******", email=github_data.get("email", ""), ) request_data = request.data.copy() request_data["nickname"] = github_data["login"] request_data["github_id"] = github_id request_data["user_id"] = user.id Token.objects.create(user=user) serializer = UserProfileProduceSerializer(data=request_data) serializer.is_valid(raise_exception=True) serializer.save() data = UserProfileSerializer(user.profile).data data["token"] = user.auth_token.key return Response(data, status=status.HTTP_201_CREATED) def create(self, request): request_data = request.data.copy() github_token = request_data.get("github_token") if github_token is not None: return self.create_github_user(request) request_data.pop("github_id", None) serializer = self.get_serializer(data=request_data) serializer.is_valid(raise_exception=True) user = serializer.save() data = UserProfileSerializer(user.profile).data data["token"] = user.auth_token.key return Response(data, status=status.HTTP_201_CREATED) @action(detail=False, methods=["PUT"]) def login(self, request): username = request.data.get("username") password = request.data.get("password") github_token = request.data.get("github_token") if github_token is None or github_token == "": if username is None or len(username) > MAX_LENGTH: return Response( {"message": "Authentication failed"}, status=status.HTTP_403_FORBIDDEN, ) user = authenticate(request, username=username, password=password) else: github_data = get_github_data(github_token) try: user = UserProfile.objects.get(github_id=github_data.get("id")).user except (UserProfile.DoesNotExist, AttributeError): return self.create_github_user(request) if user and user.is_active: data = self.get_serializer(user.profile).data token, created = Token.objects.get_or_create(user=user) data["token"] = token.key return Response(data) return Response( {"message": "Authentication failed"}, status=status.HTTP_403_FORBIDDEN ) @action(detail=False, methods=["POST"]) def logout(self, request): try: request.user.auth_token.delete() except (AttributeError, ObjectDoesNotExist): return Response( {"message:token not exist"}, status=status.HTTP_400_BAD_REQUEST ) return Response({}) def retrieve(self, request, pk=None): if pk == "me": if not request.user.is_authenticated: return Response( {"message": "Invalid Token"}, status=status.HTTP_401_UNAUTHORIZED ) user = request.user else: try: user = User.objects.get(pk=pk, is_active=True) except (User.DoesNotExist, ValueError): return Response( {"message": "There is no user with that id"}, status=status.HTTP_404_NOT_FOUND, ) return Response(self.get_serializer(user.profile).data) def update(self, request, pk=None): if pk != "me": return Response( {"message": "Not allowed to edit user not me"}, status=status.HTTP_403_FORBIDDEN, ) user = request.user data = request.data serializer = self.get_serializer(user, data=data, partial=True) serializer.is_valid(raise_exception=True) serializer.save() data = UserProfileSerializer(user.profile).data return Response(data, status=status.HTTP_200_OK) def destroy(self, request, pk=None): if pk != "me": return Response( {"message": "Not allowed to edit user not me or this user"}, status=status.HTTP_403_FORBIDDEN, ) user = request.user if user.is_active: user.is_active = False user.save() logout(request) return Response({}, status=status.HTTP_200_OK) else: return Response({}, status=status.HTTP_204_NO_CONTENT)
def get_permissions(self): if self.request.method not in permissions.SAFE_METHODS: permission_classes = [IsAuthorOfPost] return [permission() for permission in permission_classes] return [IsAuthenticated()]
def get_permissions(self): if self.action in ['list', 'retrieve']: return [AllowAny()] return [IsAuthenticated()]
def has_permission(self, request, view) -> list: if request.method == "GET" and not request.user.is_anonymous: return [IsAuthenticated()] elif request.method == "POST": return [AllowAny()] return []
def get_permissions(self): """Authenticate, unless you are creating a user""" return [AllowAny()] if self.action == "create" else [IsAuthenticated()]
class ArticleViewSet(viewsets.GenericViewSet): queryset = Article.objects.all() serializer_class = ArticleSerializer permission_classes = (IsAuthenticated(), ) pagination_class = CursorSetPagination def get_permissions(self): return self.permission_classes def create(self, request): user = request.user title = request.data.get('title') articles = Article.objects.filter(article_writer_id=user, title=title) if articles.exists(): return Response( {"error": "article with same writer and title is invalid."}, status=status.HTTP_400_BAD_REQUEST) serializer = self.get_serializer(data=request.data) serializer.is_valid(raise_exception=True) serializer.save(article_writer=user) data = serializer.data return Response(data, status=status.HTTP_201_CREATED) def update(self, request, pk=None): user = request.user article = get_object_or_404(Article, pk=pk) if user != article.article_writer: return Response({"error": "Can't update other User's article"}, status=status.HTTP_403_FORBIDDEN) serializer = self.get_serializer(article, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.update(article, serializer.validated_data) return Response(serializer.data) def retrieve(self, request, pk=None): article = get_object_or_404(Article, pk=pk) return Response(self.get_serializer(article).data) def list(self, request): title = self.request.query_params.get('title') articles = self.get_queryset() if title: articles = articles.filter(title__icontains=title) data = ArticleSerializer(articles, many=True).data return Response(data) def destroy(self, request, pk=None): user = request.user article = get_object_or_404(Article, pk=pk) if user != article.article_writer: return Response({"error": "Can't delete other User's article"}, status=status.HTTP_403_FORBIDDEN) article.delete() return Response({"message": "Successfully deleted."}) @transaction.atomic @action(methods=['post'], detail=True) def like(self, request, pk=None): user = request.user article = get_object_or_404(Article, pk=pk) check = user.like_article.filter(article=article) if check: LikeArticle.objects.get(user=user, article=article).delete() article.like_count = LikeArticle.objects.filter( article=article).count() article.save() return Response("You Unliked this article.", status=status.HTTP_200_OK) else: LikeArticle.objects.create(user=user, article=article) article.like_count = LikeArticle.objects.filter( article=article).count() article.save() return Response("You liked this article.", status=status.HTTP_200_OK) @transaction.atomic @action(methods=['POST'], detail=True, url_path='comment_write') def comment_write(self, request, pk=None): article = get_object_or_404(Article, pk=pk) user = request.user serializer = CommentSerializer(data=request.data) serializer.is_valid(raise_exception=True) serializer.save(comment_writer=user, article=article) data = serializer.data return Response(data, status=status.HTTP_201_CREATED) @action(methods=['GET'], detail=True, url_path='comment_list') def comment_list(self, request, pk=None): qp_contents = self.request.query_params.get('contents') article = get_object_or_404(Article, pk=pk) comments = article.comment.get_queryset() if qp_contents: comments = comments.filter(contents__icontains=qp_contents) return Response(CommentSerializer(comments, many=True).data) @action(methods=['GET'], detail=True, url_path='comment/(?P<comment_pk>[^/.]+)') def comment_retrieve(self, request, comment_pk, pk=None): article = get_object_or_404(Article, pk=pk) comment = get_object_or_404(article.comment, pk=comment_pk) return Response(CommentSerializer(comment).data) @action(methods=['PUT'], detail=True, url_path='comment_update/(?P<comment_pk>[^/.]+)') def comment_update(self, request, comment_pk, pk=None): user = request.user article = get_object_or_404(Article, pk=pk) comment = get_object_or_404(article.comment, pk=comment_pk) if user != comment.comment_writer: return Response({"error": "Can't Update other User's comment"}, status=status.HTTP_403_FORBIDDEN) serializer = CommentSerializer(comment, data=request.data, partial=True) serializer.is_valid(raise_exception=True) serializer.update(comment, serializer.validated_data) return Response(serializer.data) @action(methods=['DELETE'], detail=True, url_path='comment_delete/(?P<comment_pk>[^/.]+)') def comment_delete(self, request, comment_pk, pk=None): user = request.user article = get_object_or_404(Article, pk=pk) comment = get_object_or_404(article.comment, pk=comment_pk) if user != comment.comment_writer: return Response({"error": "Can't delete other User's comment"}, status=status.HTTP_403_FORBIDDEN) comment.delete() return Response({"message": "Successfully deleted."})