堆栈内存溢出
  简体   繁体   English

Django rest框架忽略has_object_permission

[英]Django rest framework ignores has_object_permission

 原文  2014-03-21 14:35:43       python/ django/ django-rest-framework

问题描述

I'm trying to limit the access to objects for users. 我正在尝试限制用户对象的访问权限。 Only creaters should modify objects. 只有创建者才能修改对象。 For that purpose like they say in tutorial I've written 就像他们在我编写的教程中所说的那样 

class IsOwnerOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return False

and added it to permission_classes. 并将其添加到permission_classes。 But still any user can modify any object. 但仍然任何用户都可以修改任何对象。 If I add method 如果我添加方法 

    def has_permission(self, request, view):
        return False

nobody can do anything. 没人能做任何事。 So all behaviour is controlled by the only has_permission method that doesn't provide any way to handle per object permissions. 因此,所有行为都由唯一的has_permission方法控制,该方法不提供处理每个对象权限的任何方法。 So am I doing something wrong? 我做错了什么? Here's the code of request handler 这是请求处理程序的代码 

class ProblemsHandler(APIView):

    permission_classes = (
        IsOwnerOrReadOnly,
        permissions.IsAuthenticatedOrReadOnly,
    )

    def pre_save(self, request, problem):
        problem.author = request.user

    def get_object(self, request, pk, format):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            serializer = ProblemsSerializer(problem)
            return Response(serializer.data, status=HTTP_200_OK)
        except ProblemsModel.DoesNotExist:
            raise Http404

    def get_list(self, request, format):
        problems = ProblemsModel.objects.all()
        serializer = ProblemsSerializer(problems, many=True)
        return Response(serializer.data, status=HTTP_200_OK)

    def get(self, request, pk=None, format=None):
        if pk:
            return self.get_object(request, pk, format)
        else:
            return self.get_list(request, format)

    def post(self, request, format=None):
        serializer = ProblemsSerializer(data=request.DATA)
        if serializer.is_valid():
            self.pre_save(request, serializer.object)
            serializer.save()
            return Response(serializer.data, status=HTTP_201_CREATED)
        else:
            return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)

    def put(self, request, pk, format=None):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            serializer = ProblemsSerializer(problem, data=request.DATA)
            if serializer.is_valid():
                self.pre_save(request, serializer.object)
                serializer.save()
                return Response(serializer.data, status=HTTP_200_OK)
            else:
                return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
        except ProblemsModel.DoesNotExist:
            raise Http404

    def delete(self, request, pk, format=None):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            problem.delete()
            return Response(status=HTTP_204_NO_CONTENT)
        except ProblemsModel.DoesNotExist:
            raise Http404

1 个解决方案

解决方案1
 21 已采纳  2014-03-21 19:30:38

the permission-checks for objects are done by DRF in the method APIView.check_object_permissions . 对象的权限检查由DRF在方法APIView.check_object_permissions

Since you don't use the GenericAPIView , you define your own get_object method and you have to call check_object_permissions yourself. 由于您不使用GenericAPIView ,因此您需要定义自己的get_object方法,并且必须自己调用check_object_permissions Since you are mis-using get_object a bit, you have to check for GET (single), PUT and DELETE 由于你误用了get_object,你必须检查GET(单个),PUT和DELETE 

self.check_object_permissions(self.request, obj)

Perhaps have a better look at the DRF Generic Views , since your use-case looks much like them. 或许可以更好地了解DRF通用视图 ,因为您的用例看起来很像它们。 Normally get_object should only return an object and check the permissions. 通常get_object应该只返回一个对象并检查权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 Django Rest 框架中将 has_object_permission 与 APIView 一起使用? - How to use has_object_permission with APIView in Django Rest Framework? Django Restframework has_object_permission()函数不适用于对象权限 - Django Restframework has_object_permission() function is not working for object permission 未使用 get_object 调用 Django 的 DRF has_object_permission 方法 - Django's DRF has_object_permission method not called with get_object has_object_permission根本没有在((object)-detail`)URL中被调用 - has_object_permission not being called at all in `(object)-detail` URLS 如何使“has_object_permission()”工作? - How can I make "has_object_permission( )" work? 如何使用 has_object_permission 检查用户是否可以在基于 function 的视图中访问 object - How to use has_object_permission to check if a user can access an object in function based views Django Rest Framework 对象没有属性 pk - Django Rest Framework object has no attribute pk Django Rest Framework-对象没有属性发布 - Django Rest Framework - object has no attribute post 使用django-rest-framework设置对象级权限 - Set object-level permission with django-rest-framework 在Django rest框架中创建之前检查对象权限 - Check object permission before create in Django rest framework
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM