[英]Django rest framework ignores has_object_permission
I'm trying to limit the access to objects for users. 我正在尝试限制用户对象的访问权限。 Only creaters should modify objects.
只有创建者才能修改对象。 For that purpose like they say in tutorial I've written
就像他们在我编写的教程中所说的那样
class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return False
and added it to permission_classes. 并将其添加到permission_classes。 But still any user can modify any object.
但仍然任何用户都可以修改任何对象。 If I add method
如果我添加方法
def has_permission(self, request, view):
return False
nobody can do anything. 没人能做任何事。 So all behaviour is controlled by the only has_permission method that doesn't provide any way to handle per object permissions.
因此,所有行为都由唯一的has_permission方法控制,该方法不提供处理每个对象权限的任何方法。 So am I doing something wrong?
我做错了什么? Here's the code of request handler
这是请求处理程序的代码
class ProblemsHandler(APIView):
permission_classes = (
IsOwnerOrReadOnly,
permissions.IsAuthenticatedOrReadOnly,
)
def pre_save(self, request, problem):
problem.author = request.user
def get_object(self, request, pk, format):
try:
problem = ProblemsModel.objects.get(pk=pk)
serializer = ProblemsSerializer(problem)
return Response(serializer.data, status=HTTP_200_OK)
except ProblemsModel.DoesNotExist:
raise Http404
def get_list(self, request, format):
problems = ProblemsModel.objects.all()
serializer = ProblemsSerializer(problems, many=True)
return Response(serializer.data, status=HTTP_200_OK)
def get(self, request, pk=None, format=None):
if pk:
return self.get_object(request, pk, format)
else:
return self.get_list(request, format)
def post(self, request, format=None):
serializer = ProblemsSerializer(data=request.DATA)
if serializer.is_valid():
self.pre_save(request, serializer.object)
serializer.save()
return Response(serializer.data, status=HTTP_201_CREATED)
else:
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
def put(self, request, pk, format=None):
try:
problem = ProblemsModel.objects.get(pk=pk)
serializer = ProblemsSerializer(problem, data=request.DATA)
if serializer.is_valid():
self.pre_save(request, serializer.object)
serializer.save()
return Response(serializer.data, status=HTTP_200_OK)
else:
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
except ProblemsModel.DoesNotExist:
raise Http404
def delete(self, request, pk, format=None):
try:
problem = ProblemsModel.objects.get(pk=pk)
problem.delete()
return Response(status=HTTP_204_NO_CONTENT)
except ProblemsModel.DoesNotExist:
raise Http404
the permission-checks for objects are done by DRF in the method APIView.check_object_permissions
. 对象的权限检查由DRF在方法
APIView.check_object_permissions
。
Since you don't use the GenericAPIView
, you define your own get_object
method and you have to call check_object_permissions
yourself. 由于您不使用
GenericAPIView
,因此您需要定义自己的get_object
方法,并且必须自己调用check_object_permissions
。 Since you are mis-using get_object a bit, you have to check for GET (single), PUT and DELETE 由于你误用了get_object,你必须检查GET(单个),PUT和DELETE
self.check_object_permissions(self.request, obj)
Perhaps have a better look at the DRF Generic Views , since your use-case looks much like them. 或许可以更好地了解DRF通用视图 ,因为您的用例看起来很像它们。 Normally
get_object
should only return an object and check the permissions. 通常
get_object
应该只返回一个对象并检查权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.