django rest模型权限 [英] django rest model permissions

问题描述

我正在使用Django 2.1和djangorestframework 3.9.2。我希望能够通过Django管理界面控制Django模型对象对REST操作的访问，最好使用用户权限。例如，只有对模型对象Foo具有读取权限的用户才能在我的REST API中看到Foo。

I'm using Django 2.1 and djangorestframework 3.9.2. I wish to be able to control access to REST operations on Django model objects via the Django admin interface, ideally using user permissions. For example, only users who have read permissions on model object Foo should be able to see Foo in my REST API.

我阅读了文档，看来我可以使用 DjangoModelPermissions 或 DjangoObjectPermissions 。

I read the docs and it seems maybe I could use DjangoModelPermissions or DjangoObjectPermissions.

但是，当我清除数据库中的所有用户权限并将DEFAULT_PERMISSIONS_CLASS设置为无论是DjangoModelPermissions还是DjangoObjectPermissions，我仍然可以在REST API中看到内容。这意味着缺少权限并不能阻止我看到希望的对象。

However, when I clear all user permissions in the DB, and set DEFAULT_PERMISSIONS_CLASS to either DjangoModelPermissions or DjangoObjectPermissions, I am still able to see things in the REST API. That means lack of permissions is not preventing me from seeing objects as I hoped.

示例设置：

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.DjangoModelPermissions',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
}

对象视图示例：

from rest_framework import routers, serializers, viewsets
from .models import Example

class ExampleSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = Example
        fields = '__all__'

class ExampleViewSet(viewsets.ModelViewSet):
    queryset = Example.objects.all()
    serializer_class = ExampleSerializer

router = routers.DefaultRouter()
router.register(r'examples', ExampleViewSet)

建议？

推荐答案

DjangoModelPermissions仅强制执行权限规则以进行数据修改（对于 POST ， PUT ， PATCH 和 DELETE 请求），但不强制执行数据查看权限规则。

DjangoModelPermissions only enforce permission rules for data modification (for POST , PUT , PATCH and DELETE requests), but does not enforce permission rules for data viewing.

要限制数据查看，您可以添加自定义视图权限，并子类 DjangoModelPermissions 来使用该权限，如文档

To restrict data viewing, you can add a custom view permisson, and subclass DjangoModelPermissions to use that permission, as explained in the docs

编辑：

使用Django 2.1，添加了 view 模型权限。因此，将来的发行版中 DjangoModelPermissions 可能会支持此功能，但是在此之前，您可以尝试对DjangoModelPermissions进行子类化，以添加查看权限检查：

With Django 2.1, view model permission is added. So this will probably be supported by DjangoModelPermissions in the future releases, but until then, you can try subclassing DjangoModelPermissions like this to add check for view permissions:

class DjangoModelPermissionsWithRead(DjangoModelPermissions):
    perms_map = {
        'GET': ['%(app_label)s.view_%(model_name)s'],
        'OPTIONS': [],
        'HEAD': [],
        'POST': ['%(app_label)s.add_%(model_name)s'],
        'PUT': ['%(app_label)s.change_%(model_name)s'],
        'PATCH': ['%(app_label)s.change_%(model_name)s'],
        'DELETE': ['%(app_label)s.delete_%(model_name)s'],
    }

这篇关于django rest模型权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！