需要Django权限 [英] Django Permission Required

问题描述

我正在尝试检查某些API请求的权限.我已经设置了auth用户以及auth_user_user_permissions和auth_permissions表，例如 view_company add_company bla bla，但问题不在于此.问题是当我尝试使用装饰器时

I'm trying to check permissions for some API requests. I've already set auth users and auth_user_user_permissions and auth_permissions tables like view_company add_company bla bla, but the problem is not that. The problem is when I'm trying yo use decorator which

@permission_required('API.view_company', raise_exception=True)

它对我说

AttributeError: 'CompanyDetailView' object has no attribute 'user'

很可能它正在寻找用户，因为它会检查user_permission是否可以查看公司，但是我在urls.py中声明的视图(path('companies//'，CompanyDetailView.as_view())，)没有用户对象，这就是错误消息返回属性错误的原因，我该如何解决，非常感谢

Most probably it's looking for the user because its gonna check user_permission is it available to view companies or not but my view which I declared in urls.py (path('companies//', CompanyDetailView.as_view()),) has not have user object that's why error message returned attribute error, how can I solve this, thanks a lot

我试图在视图类中设置示例用户，一开始，它起作用是因为视图正在寻找用户对象，我不能使用这种方式，因为每个请求都有不同的用户

I tried to set example user in view class, in the beginning, it worked because view was looking for user object, i can not use that way because every request has different user

import rest_framework
from rest_framework import status
from django.contrib.auth.models import User
from rest_framework.views import APIView
from rest_framework.response import Response
from django.contrib.auth.decorators import permission_required

class CompanyDetailView(APIView):
    @permission_required('api.view_company', raise_exception=True)
    def get(self, request, id):
        try:
            request_data = {}
            request_data['request_method'] = request.method
            request_data['id'] = id
            companies = Company.objects.get(id=id)
            status = rest_framework.status.HTTP_200_OK
            return Response(companies, status)

bla bla bla

bla bla bla

网址行为=

path('companies/<int:id>/', CompanyDetailView.as_view()),

我的错误消息是: AttributeError:'CompanyDetailView'对象没有属性'user'

当我调试并看到 request.user.has_perm('view_company')返回false但仍然api给出响应时，它表示您不允许查看公司

when i debug and i see request.user.has_perm('view_company')returned false but still api give responses, it suppose to say you are not allow to view companies

推荐答案

Django视图和Django Rest框架视图的机制有些不同，这就是为什么您收到该错误消息的原因. permission_required 将尝试使用 has_perm 方法访问视图的 user 字段以检查用户权限.但是APIView里面没有 user 字段.

The mechanism of Django Views and Django Rest Framework Views are a bit different, that's why you've got that error message. permission_required will try to access user field of your view to check user permission using has_perm method. But APIView didn't have user field inside of it.

要摆脱这种情况，您可能需要使用许可来限制访问.

To get rid of this, you might want to use permissions which provided by Django Rest Framework to restrict the access.

但是，如果您仍然想使用Django的内置权限来限制对视图的访问，则可以创建一个Permission类，该类将使用 has_perm 来检查用户权限.像这样:

But if you still want to use built-in permission of Django to restrict the access to your view, you could create a Permission class which will use has_perm to check user permission. Like so:

from rest_framework import permissions
from rest_framework import exceptions

class ViewCompanyPermission(permissions.BasePermission):
    def has_permission(self, request, view):
        if not request.user.has_perm('api.view_company'):
            raise exceptions.PermissionDenied("Don't have permission")
        return True

并通过 permission_classes 字段在您的视图中使用它:

and use it on your view via permission_classes field:

class CompanyDetailView(APIView):
    permission_classes = (ViewCompanyPermission, )
    def get(self, request, id):
        try:
            request_data = {}
            request_data['request_method'] = request.method
            request_data['id'] = id
            companies = Company.objects.get(id=id)
            status = rest_framework.status.HTTP_200_OK
            return Response(companies, status)

---

如果要复制 permission_required 行为，可以执行以下操作:

---

In case you want to replicas the permission_required behavior, you could do something like this:

from rest_framework import permissions
from rest_framework import exceptions

def permission_required(permission_name, raise_exception=False):
    class PermissionRequired(permissions.BasePermission):
        def has_permission(self, request, view):
            if not request.user.has_perm(permission_name):
                if raise_exception:
                    raise exceptions.PermissionDenied("Don't have permission")
                return False
            return True
    return PermissionRequired

然后您可以像使用它一样

Then you can use it like:

class CompanyDetailView(APIView):
    permission_classes = (permission_required("api.view_company", raise_exception=True), )
    # ...

这篇关于需要Django权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！