Django DRF：@permission_classes 不起作用

Question

I have a view with a custom action which should have a custom permission "IsRightUser". However, the has_object_permission of it is never called, even though I try to access the object with self.get_object() in my view.

class MyView(mixins.ListModelMixin, viewsets.GenericViewSet):
    serializer_class = MySerializer
    lookup_field = 'uuid'
    queryset = MyObject.objects.all()

    @action(methods=['get'], detail=True)
    @permission_classes([IsRightUser])
    def groups(self, request, uuid=None):
        # prints [<class 'rest_framework.permissions.IsAuthenticated'>]
        print(self.permission_classes)  
        my_object = self.get_object()
        groups = Group.objects.filter(my_object=my_object)
        serializer = MySerializer(groups, many=True)
        return Response(serializer.data)

Here you can see my custom permission which is never called.

class IsRightUser(BasePermission):
    def has_object_permission(self, request, view, obj):
        # never called
        return True

When I use permission_classes = [IsRightUser] in my view (ie directly underneath the lookup_field) it works (unfortunately this is not feasible for me).

Any help is very much appreciated.

Answer 1

You should pass permission classes as action argument directly:

@action(methods=['get'], detail=True, permission_classes=[IsRightUser])
def groups(self, request, uuid=None):
    # prints [<class 'rest_framework.permissions.IsAuthenticated'>]
    print(self.permission_classes)  
    my_object = self.get_object()
    groups = Group.objects.filter(my_object=my_object)
    serializer = MySerializer(groups, many=True)
    return Response(serializer.data)

Answer 2

例如，只要您在 REST_FRAMEWORK 下将默认 DEFAULT_AUTHENTICATION_CLASSES 定义到 settings.py 中，第一个装饰器就会完美地工作。