堆栈内存溢出
  简体   繁体   English

Django DRF @permission_classes 不适用于 IsAdminUser 权限

[英]Django DRF @permission_classes not working for IsAdminUser permission

 原文  2020-03-26 19:31:53       python/ django/ django-rest-framework

问题描述

I want to apply IsAdminUser permission on my view.我想对我的视图应用IsAdminUser权限。 I am able to do it by setting the permission_classes attribute:我可以通过设置 permission_classes 属性来做到这一点:

class UserProfileView(APIView):
    permission_classes = [IsAdminUser,]

    def get(self, request, pk=None):
        ...

However, if I try to do the same using decorator then it seems to be ineffective and checks only for authenticated users.但是,如果我尝试使用装饰器来做同样的事情,那么它似乎是无效的并且只检查经过身份验证的用户。

class UserProfileView(APIView):

    @permission_classes([IsAdminUser])
    def get(self, request, pk=None):
        ...

I want to understand why is it behaving so.我想了解它为什么会这样。 Am I doing anything wrong?我做错了什么吗? My environment configuration: Python==3.7.6, Django==2.2.10, djangorestframework==3.11.0, django-oauth-toolkit==1.2.0我的环境配置:Python==3.7.6、Django==2.2.10、djangorestframework==3.11.0、django-oauth-toolkit==1.2.0

1 个解决方案

解决方案1
 0 已采纳  2020-03-27 06:16:44

It is not supposed to work on APIView handlers, @permission_classes just sets func.permission_classes = permission_classes and then @api_view decorator wraps function with APIView -based class.它不应该在APIView处理程序上工作, APIView @permission_classes只是设置func.permission_classes = permission_classes然后@api_view装饰器使用基于APIView的类包装函数。 When APIView calls a handler it does not check permission_classes set on that handler, as these checks are made in the initial method.APIView调用处理程序时,它不会检查在该处理程序上设置的permission_classes ,因为这些检查是在initial方法中进行的。 Here is a part of APIView.dispatch :这是APIView.dispatch的一部分:

self.initial(request, *args, **kwargs)
# part of initial:
#     self.check_permissions(request)

# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
    handler = getattr(self, request.method.lower(),
                      self.http_method_not_allowed)
else:
    handler = self.http_method_not_allowed

response = handler(request, *args, **kwargs)

If you want to apply different permissions to different handlers (like get or post) you can either:如果您想对不同的处理程序(如 get 或 post)应用不同的权限,您可以:

  1. Create your own permission class and specify it in permission_classes创建自己的权限类并在permission_classes指定
  2. Override check_permissions覆盖check_permissions
  3. Put permissions logic into handlers将权限逻辑放入处理程序中

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django DRF:@permission_classes 不起作用 - Django DRF: @permission_classes not working Django Rest 框架权限类不工作 - Django Rest Framework permission_classes not working 用于访问路由的 Django permission_classes 不可调用 - Django permission_classes for access to route is not callable ViewSet方法的Django休息框架permission_classes - Django rest framework permission_classes of ViewSet method 无法从分配 permission_classes 切换到使用装饰器 @permission_classes - Can not switch from assigning permission_classes to use decorator @permission_classes django rest框架filter_backends类在Permission_classes类之前调用 - django rest framework filter_backends class called before permission_classes class 我是 Django 新手,正在做一个项目。 在我的项目中,我需要使用不同的“permission_classes”从多个地方调用相同的 API - I am new to Django and working on a project. In my project I need to call a same API from multiple places with different "permission_classes" 如何为 DRF 中的方法设置不同的权限类 - How to have different permission classes for methods in DRF 如何使用相同的URL为GET和POST请求设置不同的Permission_class? - How to set different permission_classes for GET and POST requests using the same URL? 如何在 DRF 的 DEFAULT_PERMISSION_CLASSES 中使用逻辑运算符? - How to use logical operators in DRF's DEFAULT_PERMISSION_CLASSES?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM