[英]In the Django REST framework, how are the default permission classes combined with per-view(set) ones?
I'm reading http://www.django-rest-framework.org/api-guide/permissions/ and trying to relate it to the OAuth2 toolkit documentation, http://django-oauth-toolkit.readthedocs.io/en/latest/rest-framework/getting_started.html .我正在阅读http://www.django-rest-framework.org/api-guide/permissions/并尝试将其与 OAuth2 工具包文档相关联, http://django-oauth-toolkit.readthedocs.io/en/latest/rest -框架/getting_started.html 。 The latter has an example in which in settings.py
one specifies后者有一个示例,其中在settings.py
中指定
REST_FRAMEWORK = {
# ...
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
)
}
and in addition, IsAuthenticated
is also specified added to the permission_classes
list of a ModelViewSet
:此外,还指定IsAuthenticated
添加到ModelViewSet
的permission_classes
列表中:
class UserViewSet(viewsets.ModelViewSet):
permission_classes = [permissions.IsAuthenticated, TokenHasReadWriteScope]
queryset = User.objects.all()
serializer_class = UserSerializer
Do I infer correctly from this example that the DEFAULT_PERMISSION_CLASSES
are not prepended / postpended to a ModelViewSet
's permission classes, but are instead replaced by it?我是否从这个例子中正确地推断出DEFAULT_PERMISSION_CLASSES
没有被添加/添加到ModelViewSet
的权限类中,而是被它替换了?
Do I infer correctly from this example that the
DEFAULT_PERMISSION_CLASSES
are not prepended / postpended to aModelViewSet
's permission classes, but are instead replaced by it?难道我从这个例子的正确推断DEFAULT_PERMISSION_CLASSES
没有前置/ postpended到ModelViewSet
的许可类,但都被它代替更换?
The DEFAULT_PERMISSION_CLASSES
are used for views/viewsets where permission_classes
is not defined. DEFAULT_PERMISSION_CLASSES
用于未定义permission_classes
视图/视图集。 In the cases they are defined, those are used instead, not the default ones.在定义它们的情况下,将使用它们,而不是默认的。
In the Django REST framework, how are the default permission classes combined with per-view(set) ones?在 Django REST framework 中,默认权限类如何与 per-view(set) 组合?
They are not combined.它们不是组合在一起的。
... the DEFAULT_PERMISSION_CLASSES are not prepended / postpended to a ModelViewSet's permission classes, but are instead replaced by it? ... DEFAULT_PERMISSION_CLASSES 不是在 ModelViewSet 的权限类前面/后面,而是被它取代?
Correct.正确的。
If you do want to extend the default permissions, this seems to work.如果您确实想扩展默认权限,这似乎可行。
Disclaimer: I found it by looking into DRF's code, not sure it is documented.免责声明:我通过查看 DRF 的代码找到了它,但不确定它是否已记录在案。
from rest_framework.settings import api_settings
class UserViewSet(viewsets.ModelViewSet):
permission_classes = [*api_settings.DEFAULT_PERMISSION_CLASSES, TokenHasReadWriteScope]
Add code in your custom Permission class like this在您的自定义权限类中添加代码,如下所示
class ObjectWritePermission(BasePermission):
# you will see this function in IsAuthenticated Permission class
def has_permission(self, request, view):
return bool(request.user and request.user.is_authenticated)
def has_object_permission(self, request, view, obj):
return obj.user == request.user
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.