堆栈内存溢出
  简体   繁体   English

如何使“has_object_permission()”工作?

[英]How can I make "has_object_permission( )" work?

 原文  2021-05-06 10:52:45       python/ django/ rest/ django-rest-framework/ user-permissions

问题描述

I'm trying to create an object level permission for a user.我正在尝试为用户创建 object 级别的权限。 The structure of my ddbb model is the following one:我的ddbb model的结构如下:

  • A Teacher owns a Classroom (id_teacher ForeignKey)一位教师拥有一间教室 (id_teacher ForeignKey)
  • A Classroom owns some Students (id_classroom ForeignKey)一个教室拥有一些学生(id_classroom ForeignKey)

I want to let the access to Student information just for the teacher who owns the classroom where the Students are registered.我想让拥有学生注册教室的老师访问学生信息。

Here are the API code and the permission code:下面是API代码和权限代码:

class StudentAPI(RetrieveUpdateAPIView):
    permission_classes = [GetStudentPermission, ]

    def get(self, request):
        student_ = Student.objects.get(username=request.GET['username'])
        s_student_ = StudentSerializer(student_)
        return Response(s_student_.data)

class GetStudentPermission(BasePermission):
    message = 'La información de este estudiante está restringida para usted'

    def has_object_permission(self, request, view, obj):
        cls_ = Classroom.objects.filter(id=obj.id_classroom.id).first()
        tch_ = Teacher.objects.get(classroom=cls_)
        user_ = User.objects.get(id=tch_.id_user.id)
        return bool(user_ == request.user)

It seems like permission classes is not working at all because I can access to the information of each student being registered with any user account.似乎权限课程根本不起作用,因为我可以访问使用任何用户帐户注册的每个学生的信息。 Thank you beforehand事先谢谢你

1 个解决方案

解决方案1
 0 已采纳  2021-05-06 11:05:14

As per the note in the section Custom permissions [DRF docs] :根据自定义权限 [DRF docs]部分中的注释:

The instance-level has_object_permission method will only be called if the view-level has_permission checks have already passed.只有当视图级has_permission检查已经通过时,才会调用实例级has_object_permission方法。 Also note that in order for the instance-level checks to run, the view code should explicitly call .check_object_permissions(request, obj) .另请注意,为了运行实例级检查,视图代码应显式调用.check_object_permissions(request, obj) If you are using the generic views then this will be handled for you by default.如果您使用的是通用视图,则默认情况下会为您处理。 (Function-based views will need to check object permissions explicitly, raising PermissionDenied on failure.) (基于函数的视图需要明确检查 object 权限,失败时会引发PermissionDenied 。)

Since you override get and implement it yourself check_object_permissions is never called, you can either do it yourself:由于您覆盖get并自己实现它check_object_permissions永远不会被调用,您可以自己做:

class StudentAPI(RetrieveUpdateAPIView):
    permission_classes = [GetStudentPermission, ]

    def get(self, request):
        student_ = Student.objects.get(username=request.GET['username'])
        self.check_object_permissions(self.request, student)
        s_student_ = StudentSerializer(student_)
        return Response(s_student_.data)

OR better yet your implementation of get is not much different than the builtin implementation that RetrieveUpdateAPIView already has, so you can forego overriding get and actually use the view directly:或者更好的是,您的 get 实现与RetrieveUpdateAPIView已经拥有的内置实现没有太大区别,因此您可以放弃覆盖get并直接实际使用视图:

class StudentAPI(RetrieveUpdateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    lookup_field = 'username'
    permission_classes = [GetStudentPermission, ]

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 has_object_permission 检查用户是否可以在基于 function 的视图中访问 object - How to use has_object_permission to check if a user can access an object in function based views 如何在 Django Rest 框架中将 has_object_permission 与 APIView 一起使用? - How to use has_object_permission with APIView in Django Rest Framework? Django Restframework has_object_permission()函数不适用于对象权限 - Django Restframework has_object_permission() function is not working for object permission has_object_permission根本没有在((object)-detail`)URL中被调用 - has_object_permission not being called at all in `(object)-detail` URLS Django rest框架忽略has_object_permission - Django rest framework ignores has_object_permission 未使用 get_object 调用 Django 的 DRF has_object_permission 方法 - Django's DRF has_object_permission method not called with get_object 如果您拥有 python 的特定权限,我如何才能使某些命令有效? - How can I make some commands only work if you have a specific permission with python? 如何阻止在 pycord 的服务器中没有权限的命令? - How can I block command who has no permission in server at pycord? 如何使界面与转换一起工作 - How can I make an interface work with casting 如何使过滤器在此代码中工作? - How can I make the filter work in this code?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM