I have a view deriving from ListAPIView, with the following permissions:
permission_classes = (permissions.IsAuthenticated, IsOwnerOrSuperuser, )
IsOwnerOrSuperuse is defined as such:
class IsOwnerOrSuperuser(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj.user == request.user or request.user.is_superuser
(which is very similar to the tutorial)
Now, when a normal user queries my view, it can see everyone's objects. Isn't the permission applied to every single object in the list? How can I enforce this type of behaviour with minimal overhead?
Thanks
No, has_object_permission is not applied to list and create endpoints, only retrieve, update and delete where there is only single instance. To filter lists, you should use get_queryset to filter the objects.
class BlogList(generics.ListAPIView):
serializer_class = BlogSerializer
permission_classes = (IsOwnerOrSuperuser,)
def get_queryset(self):
user = self.request.user
return Blog.objects.filter(user=user)
To apply further permissions, you need to implement .has_permission(self, request, view)....
Related
I am using Flask-Marshmallow and Flask-SQLAlchemy to dump data to an API.
I have an option in the API to dump specific fields in the response:
schema = UserSchema()
schema.dump(data, only=fields)
I get an error if one of the field names is derived if it is plucked using the data_key feature:
ValueError: Invalid fields for <UserSchema()>: {'account_name'}.
CLARIFICATION: To correctly filter this field the client has to pass accountname to return account_name. This is undesirable since the client is not exposed to the internal implementation.
Example Code:
class User(db.Model):
__tablename__ = 'users'
user_id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String)
account = db.relationship('Account', backref='user')
class Account(db.Model):
__tablename__ = 'accounts'
account_id = db.Column(db.Integer, primary_key=True)
user_id = db.Column(db.Integer)
accountname = db.Column(db.String)
class UserSchema(ma.SQLAlchemyAutoSchema):
class Meta:
model = User
include_fk = True
sqla_session = db.session
account = ma.Pluck('AccountSchema', 'accountname', data_key='account_name')
class AccountSchema(ma.SQLAlchemyAutoSchema):
class Meta:
model = Account
include_fk = True
sqla_session = db.session
Is there a trick to get Marshmallow to dump based on the data_key?
UPDATE: I am currently solving this with a brute force method by decorating the controller functions with a mapper. But, it would be nice if Marshmallow could handle this?
I guess the issue here is that you pass user data (name of keys from client side) into method from object world (dump) that is not meant to.
I don't think it would work even if there was no Pluck field involved, would it?
You need a layer translating user field selection into object world (field names).
This is the mapping you're using. Maybe you could generate the mapping automatically by introspecting the schemas. This can be done in a base schema class.
I'm using Django rest framework 3.7.7
I want to serialize an object instance and then deserialize it (without saving to DB again).
So I created a serializer that inherits from serializers.ModelSerializer.
To this model instance I sometimes add a field within the request that is not part of the model, using property setter. I did add it to the serializer as well, but when serializing - I don't see that field in the serialized data.
This is the model:
class MyModel(models.Model):
manager = models.CharField(max_length=200)
reviewer = models.CharField(max_length=200)
#property
def note(self):
return getattr(self, '_note', None)
#note.setter
def note(self, value):
self._note = value
This is the model serializer:
class MyModelSerializer(serializers.ModelSerializer):
note = serializers.CharField(write_only=True, required=False, max_length=1000, allow_null=True)
class Meta:
model = MyModel
fields = [
'manager',
'reviewer',
'note'
]
This is how I use the serializer:
ser_instance = MyModelSerializer(self.instance)
ser_data = ser_instance.data
seems like the ser_instance.data contains only the model fields data (without the 'note')
From the write_only--[DRF-Doc], it states that
Set this to True to ensure that the field may be used when updating or creating an instance, but is not included when serializing the representation.
Defaults to False
So, if you need to serialize the note field, remove the write_only=true from serializer.
#serializers.py
class MyModelSerializer(serializers.ModelSerializer):
note = serializers.CharField(required=False, max_length=1000, allow_null=True) # removed "write_only=True"
...
I have a problem with mirage.
I am defining a serializer extending ActiveModelSerializer with serializeIds: 'always', in this case the model is serialized with the relations models ids.
But when i want include some model in the serialized content i use include: ['someModel'], in that case the someModel is included succesfully, but the ids of the rest of relationships are ignored.
How can i include the ids too?
Hm, I believe this is the default behavior. To override this you could call super on the Serializer's serialize method and ensure the ids are added to the payload:
serialize(post, request) {
let json = Serializer.prototype.serialize.apply(this, arguments);
json.post.commentIds = post.commentIds;
return json;
}
So I am trying to implement a friendlist, the above is the SQL diagram I made for my simple project and after generating the Models. I realized there was something wrong with the way Gii generated the model.
I wanted to make a many-to-many relationship with User to itself, but this is what I got:
class User {
...
public function getPosts()
{
return $this->hasMany(Post::className(), ['userId' => 'id']);
}
}
class Friend {
...
public function getFriend()
{
return $this->hasOne(Member::className(), ['id' => 'friendId']);
}
}
The User class doesn't have any relationship with itself, I expected something like getUsers() inside of User, but it didn't generate it. I initially thought about not making a model with the junction table, but I did so just to see what would happen. I don't think I need it. So I am not sure how to do this correctly? Do I need to get rid of my Junction Table Models and Do I need to make the relationship between User to itself and User to Message manually? I thought about doing a many-to-many in User and Message and a many-to-many in User for User. Is this the right thing? Tell me if I am wrong. Thank you.
You are on a true way. You need a junction table for implementing your goal. Easily as you done this, you must define two model: User and Friend. Now on your User model at first you must define a relation for get the list of all friends, Suppose call it getFriendsLists:
public function getFriendsLists()
{
return $this->hasMany(Friend::className(), ['userId' => 'id']);
}
This relation says that "Get me all account that are connected with me, i.e. if my id is 102, this relation return all record of friend table that their userIds are 102". Well, now we get all friends with a relation on User model, let call him getFriends:
public function getFriends()
{
return $this->hasMany(User::className(), ['friendId' => 'id']
->via('friendsList');
}
Notice that 'friendsList' as is a parameter of via method, is our predefined relation on top of this answer. Now easily you can get all account that are friends of our example (User with id 102):
public FriendController extends Controller
{
// Some code goes here!
public function actionFriendList($id)
{
$user = User::findOne($id);
$friends = $user->friends;
return $this->render('friend-list', ['friendsArray' => $friends]);
}
}
And use them on your friend-list view file as $friendsArray variable. Extra note that $user->friends use friends relation that you defined on User model with getFriends method.
I would like to have a nested object inside a serializer instead of just the foreignkey (or url).
As this documentation says, I just had to specify the serializer class of the nested object in the parent serializer:
# Models
class NestedSample(models.Model):
something = models.CharField(max_length=255)
class Sample(models.Model):
thing = models.BooleanField()
nested = models.ForeignKey(NestedSample)
# Serializers
class NestedSampleSerializer(serializers.HyperlinkedModelSerializer):
class Meta:
model = api_models.NestedSample
class SampleSerializer(serializers.HyperlinkedModelSerializer):
nested = NestedSampleSerializer() # HERE!
class Meta:
model = api_models.Sample
# Views
class NestedSampleViewSet(viewsets.ModelViewSet):
queryset = api_models.NestedSample.objects.all()
serializer_class = api_serializers.NestedSampleSerializer
class SampleViewSet(viewsets.ModelViewSet):
queryset = api_models.Sample.objects.all()
serializer_class = api_serializers.SampleSerializer
This works very well when I get the objects, but it is not possible to create (=POST) Sample objects anymore, I get the error:
{u'non_field_errors': [u'Invalid data']}
I tried to overwrite the create method in the viewset to get the object using the pk:
class SampleViewSet(viewsets.ModelViewSet):
queryset = api_models.Sample.objects.all()
serializer_class = api_serializers.SampleSerializer
def create(self, request):
request.DATA['nested'] = get_object_or_404(api_models.NestedSample, pk=request.DATA['nested'])
return super(SampleViewSet, self).create(request)
But it doesn't work as well.
Any idea?
I also found this question I can relate with which of course solves the problem but do not let me expose the full nested object, so back to the beginning.
Thanks,
I can think of two solutions to this problem. I prefer the first one.
First solution:
Use a django model form to create objects. Override the create and update methods. A sample create method:
def create(self, request):
form = SampleForm(data=request.POST)
if form.is_valid():
instance = form.save(commit=False)
instance.save()
return Response(dict(id=instance.pk), status=status.HTTP_201_CREATED)
return Response(form.errors, status=status.HTTP_400_BAD_REQUEST)
this way you can create Sample objects with any kind of validation you like.
Second solution:
Override get_serializer_class method and return serializer class based on request method. Define two serializers one for post and put and one for list and retrieve.
Can you confirm that you're sending a JSON encoded request - i.e. the request has the content type set to JSON ?
If not, the post is most probably send using form format which doesn't support nested.