Ограничение действия пользователей django

Как можно ограничить действия обычного пользователя?

У меня при регистрации пользователя сразу определяется is_staff True или False. И нужно прописать ограничения (типа, можно смотреть определенный список, изменить его) если is_staff == False. Как лучше это сделать? Прописать разрешения отдельным файлом и использовать ее или сразу же на нужном файле?

Сейчас у мен код такой:

views.py

 from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.response import Response
from rest_framework.authtoken.models import Token
from rest_framework import status
from django.contrib.auth.models import User
from rest_framework.generics import CreateAPIView
from rest_framework.permissions import IsAuthenticated
from .serializers import UserRegisterSerializer
from django.contrib.auth.mixins import PermissionRequiredMixin
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
from .permissions import ActivePermissions


class CustomAuthToken(ObtainAuthToken):

    def post(self, request, *args, **kwargs):
        serializer = self.serializer_class(data=request.data, context={'request': request})
        serializer.is_valid(raise_exception=True)
        user = serializer.validated_data['user']
        token, created = Token.objects.get_or_create(user=user)
        return Response({
            'token': token.key,
            'user_id': user.pk,
            'email': user.email
        })

class RegisterUserView(CreateAPIView, PermissionRequiredMixin):
    queryset = User.objects.all()  # add to queryset
    serializer_class = UserRegisterSerializer  # add serializer UserRegisterSerializer
    # permission_classes = [IsAuthenticated]  # add permission classes
    def post(self, request, *args, **kwargs):  #create method to create new user
        serializer = UserRegisterSerializer(data=request.data)  # add UserRegisterSerializer
        data = {}  # create list data

        if request.user.is_staff == True: #это то, что я пробую делать
            permission_classes = [IsAuthenticated, ActivePermissions]
        else:
            permission_classes = [IsAuthenticated]

            # Data Validity Check
        if serializer.is_valid():
            serializer.save()
            data['response'] = True
            return Response(data, status=status.HTTP_200_OK)
        else:
            data = serializer.errors
            return Response(data)

serislizersd.py

from rest_framework import serializers
from django.contrib.auth.models import User

class UserRegisterSerializer(serializers.ModelSerializer):
    password2 = serializers.CharField()  # Поле для повторения пароля

    # Настройка полей
    class Meta:
        model = User
        fields = ['email', 'username', 'password', 'password2', 'is_staff']

    # Метод для сохранения нового пользователя
    def create(self, *args, **kwargs):
        user = User(
            email=self.validated_data['email'],
            username=self.validated_data['username'],
            is_staff=self.validated_data['is_staff'],
        )
        password = self.validated_data['password']
        password2 = self.validated_data['password2']

        if password != password2:
            raise serializers.ValidationError({password: "Пароль не совпадает"})
        user.set_password(password)  # Сохраняем пароль
        user.save()
        return user

models/py

from django.db import models
from django.contrib.auth.models import AbstractBaseUser, BaseUserManager
from django.conf import settings
from django.db.models.signals import post_save
from django.dispatch import receiver
from rest_framework.authtoken.models import Token

@receiver(post_save, sender=settings.AUTH_USER_MODEL)
def create_auth_token(sender, instance=None, created=False, **kwargs):
    if created:
        Token.objects.create(user=instance)


class MyUserManager(BaseUserManager):
    # Создаём метод для создания пользователя
    def _create_user(self, email, username, password, is_staff):
        if not email:
            raise ValueError("Вы не ввели Email")
        if not username:
            raise ValueError("Вы не ввели Логин")

        user = self.model(
            email=self.normalize_email(email),
            username=username,
            is_staff=is_staff,
        )

        user.set_password(password)
        user.save(using=self._db)

        return user


class User(AbstractBaseUser):
    username = models.CharField(max_length=50, unique=True)
    email = models.EmailField(max_length=100, unique=True)
    is_active = models.BooleanField(default=True)
    is_staff = models.BooleanField(default=False)


    objects = MyUserManager()

    def __str__(self):
        return self.username

permissions.py

from rest_framework import permissions
from django.contrib.auth.models import Permission, User
from django.contrib.contenttypes.models import ContentType
from Personel.models import Division

class ActivePermissions(permissions.BasePermission):
    # Permissions for users

    def has_permission(self, request, view):
        content_type = ContentType.objects.get_for_model(Division)
        permission = Permission.objects.get(
            codename='change_blogpost',
            content_type=content_type,
        )
        if request.user.is_staff == False:
            request.user.permissions.add(permission)

Вернуться на верх