[英]How can I make "has_object_permission( )" work?
I'm trying to create an object level permission for a user.我正在尝试为用户创建 object 级别的权限。 The structure of my ddbb model is the following one:
我的ddbb model的结构如下:
I want to let the access to Student information just for the teacher who owns the classroom where the Students are registered.我想让拥有学生注册教室的老师访问学生信息。
Here are the API code and the permission code:下面是API代码和权限代码:
class StudentAPI(RetrieveUpdateAPIView):
permission_classes = [GetStudentPermission, ]
def get(self, request):
student_ = Student.objects.get(username=request.GET['username'])
s_student_ = StudentSerializer(student_)
return Response(s_student_.data)
class GetStudentPermission(BasePermission):
message = 'La información de este estudiante está restringida para usted'
def has_object_permission(self, request, view, obj):
cls_ = Classroom.objects.filter(id=obj.id_classroom.id).first()
tch_ = Teacher.objects.get(classroom=cls_)
user_ = User.objects.get(id=tch_.id_user.id)
return bool(user_ == request.user)
It seems like permission classes is not working at all because I can access to the information of each student being registered with any user account.似乎权限课程根本不起作用,因为我可以访问使用任何用户帐户注册的每个学生的信息。 Thank you beforehand
事先谢谢你
As per the note in the section Custom permissions [DRF docs] :根据自定义权限 [DRF docs]部分中的注释:
The instance-level
has_object_permission
method will only be called if the view-levelhas_permission
checks have already passed.只有当视图级
has_permission
检查已经通过时,才会调用实例级has_object_permission
方法。 Also note that in order for the instance-level checks to run, the view code should explicitly call.check_object_permissions(request, obj)
.另请注意,为了运行实例级检查,视图代码应显式调用
.check_object_permissions(request, obj)
。 If you are using the generic views then this will be handled for you by default.如果您使用的是通用视图,则默认情况下会为您处理。 (Function-based views will need to check object permissions explicitly, raising
PermissionDenied
on failure.)(基于函数的视图需要明确检查 object 权限,失败时会引发
PermissionDenied
。)
Since you override get
and implement it yourself check_object_permissions
is never called, you can either do it yourself:由于您覆盖
get
并自己实现它check_object_permissions
永远不会被调用,您可以自己做:
class StudentAPI(RetrieveUpdateAPIView):
permission_classes = [GetStudentPermission, ]
def get(self, request):
student_ = Student.objects.get(username=request.GET['username'])
self.check_object_permissions(self.request, student)
s_student_ = StudentSerializer(student_)
return Response(s_student_.data)
OR better yet your implementation of get is not much different than the builtin implementation that RetrieveUpdateAPIView
already has, so you can forego overriding get
and actually use the view directly:或者更好的是,您的 get 实现与
RetrieveUpdateAPIView
已经拥有的内置实现没有太大区别,因此您可以放弃覆盖get
并直接实际使用视图:
class StudentAPI(RetrieveUpdateAPIView):
queryset = Student.objects.all()
serializer_class = StudentSerializer
lookup_field = 'username'
permission_classes = [GetStudentPermission, ]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.