update: 권한 관련 설정 추가

golony6449 · golony6449 · commit a4a6bb93f7b0 · 2023-02-07T00:00:05.000+09:00
diff --git a/sponsor/permissions.py b/sponsor/permissions.py
@@ -0,0 +1,17 @@
+from rest_framework import permissions
+
+from sponsor.models import Sponsor
+
+
+class IsOwnerOrReadOnly(permissions.BasePermission):
+    # https://stackoverflow.com/questions/72691826/djnago-rest-framework-how-to-allow-only-update-user-own-content-only
+    def has_object_permission(self, request, view, obj: Sponsor):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+
+        return obj.manager_id == request.user or obj.creator == request.user
+
+
+class OwnerOnly(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj: Sponsor):
+        return obj.manager_id == request.user or obj.creator == request.user
diff --git a/sponsor/viewsets.py b/sponsor/viewsets.py
@@ -1,19 +1,16 @@
 from django.shortcuts import get_object_or_404
-
-from rest_framework.viewsets import ModelViewSet
 from rest_framework.permissions import IsAuthenticatedOrReadOnly
 from rest_framework.response import Response
+from rest_framework.viewsets import ModelViewSet
 
-from sponsor.serializers import (
-    SponsorSerializer,
-    SponsorListSerializer,
-)
 from sponsor.models import Sponsor
+from sponsor.permissions import IsOwnerOrReadOnly, OwnerOnly
+from sponsor.serializers import SponsorListSerializer, SponsorSerializer
 
 
 class SponsorViewSet(ModelViewSet):
     serializer_class = SponsorSerializer
-    permission_classes = [IsAuthenticatedOrReadOnly]  # 로그인된 사용자에게만 허용
+    permission_classes = [IsOwnerOrReadOnly]  # 본인 소유만 수정가능
 
     def get_queryset(self):
         return Sponsor.objects.all()
@@ -33,5 +30,17 @@ def retrieve(self, request, *args, **kwargs):
         pk = kwargs["pk"]
         sponsor_data = get_object_or_404(Sponsor, pk=pk)
 
-        serializer = SponsorSerializer(sponsor_data)
+        # 본인 소유인 경우는 모든 필드
+        # 그렇지 않은 경우는 공개 가능한 필드만 응답
+        serializer = (
+            SponsorSerializer(sponsor_data)
+            if self.check_owner_permission(request, sponsor_data)
+            else SponsorListSerializer(sponsor_data)
+        )
+
         return Response(serializer.data)
+
+    def check_owner_permission(self, request, sponsor_data: Sponsor):
+        return OwnerOnly.has_object_permission(
+            self=OwnerOnly, request=request, view=self, obj=sponsor_data
+        )
