如何使用 has_object_permission 检查用户是否可以在基于 function 的视图中访问 object

Question

I have a note object which can be accessd from notes/{pk}. If the method is GET or a read only method I was to allow anyone access to the note as long as the note is public ( note.is_private = False )

I've implemented this as:

@api_view(['GET', 'DELETE', 'PUT'])
def detail_notes(request, pk): 
    try: 
        note = Note.objects.get(pk=pk)
    except Note.DoesNotExist:
        return Response(status=status.HTTP_404_NOT_FOUND)

    if request.method == 'GET': 
        response = NoteSerializer(note)
        return Response(response.data)

...

If the method is PUT or DELETE I want to allow access to the note only if the current user is the owner of the note. I implemented this permission (according to the docs) as follows:

class IsOwnerOrIsPublic(BasePermission):

    def has_object_permission(self, request, view, obj): 

        user = obj.user 
        privacy = obj.is_private

        if request.method in SAFE_METHODS:
            return not privacy # is the note public and is this a read only request ? 

        return request.user == obj.user

However, when I add the @permission_classes([IsOwnerOrIsPublic]) decorator to my view the permission doesn't restrict access to an unauthorized user. I'm able to view any note with a pk.

I tried explicitly calling IsOwnerOrIsPublic.has_object_permissions(), with this code in my view:

authorized = IsOwnerOrIsPublic.has_object_permission(request, note)
    if not authorized:
        return Response(status=HTTP_401_UNAUTHORIZED)

But I get the error has_object_permission() missing 2 required positional arguments: 'view' and 'obj' (obviously), and I do not know what other arguments to pass in. For example, what is the view argument?

How do I make this permission work on this view? Alternatively, how do I make this constraint work?

Answer 1

Note that my solution is based on generic views which is more simpler to implement. Try the following view class:

from rest_framework import generics
from django.shortcuts import get_object_or_404
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
...
# generics.RetrieveUpdateDestroyAPIView will allow Get, put, delete
class NoteDetailAPIView(generics.RetrieveUpdateDestroyAPIView):
"""
Retrieve, update, or delete note by its author
Retrieve only for readers
"""
# I'll assume you are using token authentication
authentication_classes = (TokenAuthentication,)
permission_classes = (IsAuthenticated, IsOwnerOrIsPublic,)

serializer_class = NoteSerializer

def get_object(self):
    note = get_object_or_404(Note, pk=self.kwargs['pk'])
    self.check_object_permissions(self.request, note)
    return note