Django Rest compare user 'sector' id with publication 'sector' id

Question

Django Rest compare user 'sector' id with publication 'sector' id

Asked 6 years, 9 months ago

Viewed 368 times

1

Well, I’m messing with an API and I want it to return content only when the user sector is equal to the publishing sector

API for publications:

The user has a sector field also equal to this, and I’m already able to get the current user’s industry id, but I can’t get the publication’s industry id to test!

py views.

class PostDetailAPIView(RetrieveAPIView):
queryset = Post.objects.all()
serializer_class = PostSerializer

def get_queryset(self):
    queryset = Post.objects.all()
    user_sector = None
    if self.request.user.is_authenticated():
        user_sector = self.request.user.sector.id

        if user_sector is ...:
            return queryset

remembering that I want to return to queryset every time the sector of some publication is equal to the sector of the logged in user!! help me in this

Try to use the self.get_object() that it returns the object of the current detail view, so you can do: post.sector and so do the verification with the user’s.

– Marlysson

2017/09/11 at 14:57
I need to pass the sector as a parameter ?

– Guilherme Henrique

2017/09/11 at 16:07
gave this error now 'Maximum recursion Depth exceeded'

– Guilherme Henrique

2017/09/11 at 16:12
Not necessarily.. Take quetyset out of get_queryset.. Try using get_object inside get_queryset

– Marlysson

2017/09/11 at 21:10

2 answers

0

Well, I found the solution in a different way,:

ps: I also put an OR condition to search for the 'General' sector, which should appear for all users

from django.db.models import Q 

class PostListAPIView(ListAPIView):
queryset = Post.objects.all()
serializer_class = PostSerializer

def get_queryset(self):
    user_sector = None
    if self.request.user.is_authenticated():
        user_sector = self.request.user.sector.id
        queryset = Post.objects.filter(
                        Q(sector__id=user_sector) |
                        Q(sector__name='Geral')
                        ).distinct()   
        return queryset

Browser other questions tagged python api django django-rest-framework

You are not signed in. Login or sign up in order to post.

by mcmartin • **172** points · Answer 1 · 2017-09-12T00:45:29+00:00

There’s more to the matter of permissiveness, as I understand it. So when the publishing sector is different from the user sector you want to refuse this request (and probably return an error message).

I would implement it as follows:

class PostDetailAPIView(RetrieveAPIView):
 queryset = Post.objects.all()
 serializer_class = PostSerializer
 permission_classes = (ClasseVerificacao)

Then you need to implement the suca "Classification"

# CLASSES PARA CONTROLE DE PERMISSIONS
class ClasseVerificacao(permissions.BasePermission):
  message = 'Permissão negada, seu setor não é o mesmo do objeto'

  def has_object_permission(self, request, view, obj):
    return self.request.user.sector == obj.sector

Note that this part returns True when the user sector is equal to the object sector. When the function returns True it responds to the request, if the function returns False it responds to the request with the message you chose.

Return self.request.user.sector == obj.sector

Well it gets "complicated" to do the code exactly for your problem, there’s an example that should help you. And remember to look at the documentation.