DRF Viewset删除详细路线的权限 [英] DRF Viewset remove permission for detail route

查看:60
本文介绍了DRF Viewset删除详细路线的权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个基本的Viewset:

I have a basic Viewset:

class UsersViewSet(viewsets.ModelViewSet):
    permission_classes = (OnlyStaff,)
    queryset = User.objects.all()
    serializer_class = UserSerializer

它绑定到/api/users/端点.我想创建一个用户个人资料页面,所以我只需要一个特定的用户,因此我可以从/api/users/< id>/检索它,但是问题是我想要/api/users/< id>/允许任何人使用,但/api/users/保留其权限 OnlyStaff ,因此没有人可以访问完整的用户列表.

It is bind to the /api/users/ endpoint. I want to create a user profile page, so I need only a particular user, so I can retrieve it from /api/users/<id>/, but the problem is that I want /api/users/<id>/ to be allowed to anyone, but /api/users/ to keep its permission OnlyStaff, so no one can have access to the full list of users.

注意:也许这不是一个很好的实现,因为任何人都可以强行使数据增加 id ,但是我愿意将其从< id> < slug> .

Note: Perhaps it's not such a good implementation, since anyone could brute force the data incremeting the id, but I'm willing to change it from <id> to <slug>.

如何从明细路由中删除权限?

How can I delete the permission from detail route?

谢谢.

推荐答案

覆盖如下的 get_permissions() 方法

Override the get_permissions() method as below

from rest_framework.permissions import AllowAny


class UsersViewSet(viewsets.ModelViewSet):
    permission_classes = (OnlyStaff,)
    queryset = User.objects.all()
    serializer_class = UserSerializer

    def get_permissions(self):
        if self.action == 'retrieve':
            return [AllowAny(), ]        
        return super(UsersViewSet, self).get_permissions()

这篇关于DRF Viewset删除详细路线的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆