我有2个数据库。一个包含AUTH的AUTH也扩展到以下models.py -
from django.contrib.auth.models import User
class FileIndex(models.Model):
filename = models.CharField(max_length=256)
filetype = models.CharField(max_length=16)
vendorid = models.IntegerField()
vendorname = models.CharField(max_length=256)
tablename = models.CharField(max_length=256)
class Meta:
db_table = 'file_index'
verbose_name = 'File/Vendor Index'
verbose_name_plural = 'File/Vendor Indicies'
def __str__(self):
return self.filename
class UserFile(models.Model):
userid = models.ForeignKey(User)
fileid = models.ForeignKey(FileIndex)
grant_date = models.DateTimeField()
revoke_date = models.DateTimeField(blank=True)
class Meta:
db_table = 'auth_files'
verbose_name = 'User File Matrix'
verbose_name_plural = 'User File Matricies'
FileIndex中的“tablename”字段引用另一个App中引用的另一个数据库中的Table Name。我正在使用的当前测试视图在我的views.py
中class File_List(generics.ListAPIView):
model = cdx_composites_csv
serializer_class = cdx_compositesSerializer
def get_queryset(self):
"""
This view should return a list of all the purchases for
the user as determined by the username portion of the URL.
"""
filename = self.request.GET.get('filename')
model = get_model('markit', filename)
filedate = self.request.GET.get('filedate')
queryset = model.objects.using('markitdb').filter(Date__contains=filedate)
return queryset
如果我没有登录,它工作正常并给出“未授权”,但无论我是否在桌面上设置了查看权限,我的用户仍然可以执行该视图。
模型在函数之前列出,否则它会抱怨模型不在那里。我想稍后再说清楚。首先,我试图理解为什么我的视图仍在执行,即使用户没有组权限来查看模型。
答案 0 :(得分:0)
我通过在我看来执行以下操作来攻击这个 -
class ExampleView(APIView): model = cdx_composites_csv serializer_class = cdx_compositesSerializer
def get(self, request, format=None):
if UserFile.objects.filter(fileid_id=1, userid_id=2).exists():
content = {
'status': 'Request Successful.'
}
return Response(content)
else:
content = {
'status': 'Request Failed.'
}
return Response(content)
基本上在身份验证之后它会对UserFile进行查询以验证用户和文件是否存在,如果存在,那么我可以编写它来执行查询集。