Django Rest Framework中CreateAPIView的权限 [英] Permissions for CreateAPIView in Django Rest Framework

问题描述

我查看了CreateAPIView的代码，并且在创建过程中的任何地方都未检查权限.因此，我决定按如下所示在perform_create挂钩中对其进行检查:

I looked at the code for CreateAPIView and nowhere in the creation process are permissions checked. So I decided to check them in the perform_create hook as follows:

class CourseList(generics.CreateAPIView):
    """
    Create a course.
    A user can create a course if he/she is an instructor in
    the academy the course is to be created in.
    """
    serializer_class = CourseRef
    queryset = Course.objects.all()
    permission_classes = (IsAuthenticated, IsInstructorInAcademy)

    def perform_create(self, serializer):
        self.check_object_permissions(self.request, serializer.validated_data.get('academy'))
        serializer.save()

其中的权限如下所示:

class IsInstructorInAcademy(BasePermission):
    def has_object_permission(self, request, view, academy):
        return request.user.instructor_set.filter(academy=academy).exists()

当我尝试创建课程时，初始权限检查运行正常，并且该课程已保存，但随后我立即收到以下错误消息:

When I try to create a course, the initial permission check runs fine and the course is saved but immediately afterwards I get the following error:

ValueError at /api/courses/
Cannot query "Mathematics 11A": Must be "Academy" instance.

，这在权限检查时引发，结果POST返回500 ISE.

and this is raised at the permissions check, as a result of which the POST returns a 500 ISE.

(这有点怪异，因为我在perform_create钩中的权限检查中传递了学院实例，而视图确实涉及课程.我考虑使用权限IsInstructorInAcademyOfObject，但是为此，我需要传递一个除非保存序列化器否则无法获取的对象.)

(This is slightly hacky because I'm passing in the academy instance in the permissions check in the perform_create hook whereas the view really concerns courses. I considered using a permission IsInstructorInAcademyOfObject but for that, I would need to pass in an object which I cannot get unless the serializer is saved.)

在此处检查权限的最佳方法是什么?

What is the best way to check for permissions here?

推荐答案

您遇到了问题，因为您将业务逻辑检查与权限捆绑在一起.

You have an issue because you're tying business logic checks with permissions.

反序列化后，请执行自己的检查，而不是调用check_object_permission，如果失败，则引发PermissionDenied.

Instead of calling check_object_permission, perform your own check once it's deserialized and raise a PermissionDenied if it fails.

这篇关于Django Rest Framework中CreateAPIView的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！