我正在嘗試使用 django-rest-framework 創建 REST API。我的問題是我可以列印has_object_permission方法的實體,以便我可以看到該部分發生了什么。我正在嘗試只有物件的所有者才能更新和洗掉該物件,但現在任何人都可以洗掉或更新任何物件。請告訴除了權限之外是否還有其他方法可以做。我們可以通過序列化程式中的檢查來完成所有這些嗎?如果是,那么請也用例子來指導我。我將非常感謝。
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated:
return True
return False
if obj.author == request.user:
return True
return False
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView,ObjectOwnerPermission):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView,ObjectOwnerPermission):
"""This endpoint allows for deletion of a specific Project from the database"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
uj5u.com熱心網友回復:
您的權限不起作用,因為您True在ObjectOwnerPermission用戶經過身份驗證時回傳,這意味著經過身份驗證的任何人都可以通過此權限。
編輯:
在最初的問題中,permissionS_classes用什么代替permission_classes
這是我的固定版本:
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
return obj.author == request.user
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView):
"""This endpoint allows for deletion of a specific Project from the database"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
- 不要從視圖中的權限類繼承 - 它應該只用于
permission_classes - 如果你想鏈接你的權限,它應該在
permission_classes串列中實作 - 權限類是從左到右讀取的,這意味著
IsAuthenticated在您上課之前首先檢查(在您的課程中,您確定用戶已登錄)
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/347616.html