Reputation: 105
Create model instance only if its user id field is equal to the logged-in user's id
In a django rest framework app, there's a TextViewSet. The Text object structure is as follows:
{
text: text_value,
author: author_id
}
When creating a new Text instance, I want to check if the supplied author_id equals the currently logged-in user's id.
I've read this question: When to use Serializer's create() and ModelViewset's perform_create(), but still can't decide whether to override Serializer's create(), ModelViewset's create() or perform_create() methods. What's the right method to override?
UPD:
models.py:
class Text(models.Model):
text = models.TextField()
author = models.ForeignKey(CustomUser, on_delete=models.CASCADE)
serializers.py:
class TextSerializer(serializers.ModelSerializer):
class Meta:
model = Text
fields = ['author', 'text']
The question is in which of these methods should one perform this check if self.request.user.id != self.request.data['author']:?
Upvotes: 2
Views: 683
Answers (2)
Reputation: 4154
The real question is why not just set author to the logged in user and not let the client send in any ID at all?
The normal way of doing this is by:
class MyViewSet(ModelViewSet):
...
def perform_create(self, serializer):
'''The logged in user is always the author'''
return serializer.save(author=self.request.user)
def get_queryset(self):
'''Limit the queryset to the author, i.e the logged in user, for fetching/updating data'''
return self.queryset.filter(author=self.request.user)
But if you really want to send in author-id then you can also use a custom Permission for it to have it re-usable.
from rest_framework.permissions import BasePermission
class UserIsAuthor(BasePermission):
default_author_field = "author"
def has_permission(self, request, view):
author_field = getattr(
view,
"permission_author_field",
self.default_author_field
)
return request.user.is_authenticated and (
request.user.pk == request.data.get(author_field)
)
used as:
class ExampleViewSet(ModelViewSet):
permission_classes = [UserIsAuthor]
# optional if the default "author" isnt what you want.
permission_author_field = "some_field_in_request_data"
Upvotes: 0
Reputation: 6565
You can override create() the method of your TextViewSet
views.py
from rest_framework.response import Response
class TextViewSet(ModelViewSet):
def create(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
if request.user.id == request.data['author']:
self.perform_create(serializer)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
else:
return Response("Unauthorized", status=status.HTTP_401_UNAUTHORIZED
Upvotes: 1
Related Questions
- Automatically Add Logged In User Under 'Created_By' to Model in Django Rest Framework
- REST Api Django - create new model-object and add currently logged in user to it
- I want to restrict a particular user from creating a saved class object if the current user id is different from the id in the live class object
- Django rest create user if login not exists
- Check if user exists before creating new user djangorestframework
- How to handle associating a User with a Model?
- Django rest framework. If user exist return True, False if not
- Django-rest saving model against a specific user
- How to create model in Django REST with userID from authentication
- How to deal with user_id field properly?