需要Django权限 [英] Django Permission Required
问题描述
我正在尝试检查某些API请求的权限.我已经设置了auth用户以及auth_user_user_permissions和auth_permissions表,例如 view_company
add_company
bla bla,但问题不在于此.问题是当我尝试使用装饰器时
I'm trying to check permissions for some API requests.
I've already set auth users and auth_user_user_permissions and auth_permissions tables like view_company
add_company
bla bla, but the problem is not that. The problem is when I'm trying yo use decorator which
@permission_required('API.view_company', raise_exception=True)
它对我说
AttributeError: 'CompanyDetailView' object has no attribute 'user'
很可能它正在寻找用户,因为它会检查user_permission是否可以查看公司,但是我在urls.py中声明的视图(path('companies//',CompanyDetailView.as_view()),)没有用户对象,这就是错误消息返回属性错误的原因,我该如何解决,非常感谢
Most probably it's looking for the user because its gonna check user_permission is it available to view companies or not but my view which I declared in urls.py (path('companies//', CompanyDetailView.as_view()),) has not have user object that's why error message returned attribute error, how can I solve this, thanks a lot
我试图在视图类中设置示例用户,一开始,它起作用是因为视图正在寻找用户对象,我不能使用这种方式,因为每个请求都有不同的用户
I tried to set example user in view class, in the beginning, it worked because view was looking for user object, i can not use that way because every request has different user
import rest_framework
from rest_framework import status
from django.contrib.auth.models import User
from rest_framework.views import APIView
from rest_framework.response import Response
from django.contrib.auth.decorators import permission_required
class CompanyDetailView(APIView):
@permission_required('api.view_company', raise_exception=True)
def get(self, request, id):
try:
request_data = {}
request_data['request_method'] = request.method
request_data['id'] = id
companies = Company.objects.get(id=id)
status = rest_framework.status.HTTP_200_OK
return Response(companies, status)
bla bla bla
bla bla bla
网址行为=
path('companies/<int:id>/', CompanyDetailView.as_view()),
我的错误消息是: AttributeError:'CompanyDetailView'对象没有属性'user'
当我调试并看到 request.user.has_perm('view_company')
返回false但仍然api给出响应时,它表示您不允许查看公司
when i debug and i see request.user.has_perm('view_company')
returned false but still api give responses, it suppose to say you are not allow to view companies
推荐答案
Django视图和Django Rest框架视图的机制有些不同,这就是为什么您收到该错误消息的原因. permission_required
将尝试使用 has_perm
方法访问视图的 user
字段以检查用户权限.但是APIView里面没有 user
字段.
The mechanism of Django Views and Django Rest Framework Views are a bit different, that's why you've got that error message. permission_required
will try to access user
field of your view to check user permission using has_perm
method. But APIView didn't have user
field inside of it.
要摆脱这种情况,您可能需要使用许可来限制访问.
To get rid of this, you might want to use permissions which provided by Django Rest Framework to restrict the access.
但是,如果您仍然想使用Django的内置权限来限制对视图的访问,则可以创建一个Permission类,该类将使用 has_perm
来检查用户权限.像这样:
But if you still want to use built-in permission of Django to restrict the access to your view, you could create a Permission class which will use has_perm
to check user permission. Like so:
from rest_framework import permissions
from rest_framework import exceptions
class ViewCompanyPermission(permissions.BasePermission):
def has_permission(self, request, view):
if not request.user.has_perm('api.view_company'):
raise exceptions.PermissionDenied("Don't have permission")
return True
并通过 permission_classes
字段在您的视图中使用它:
and use it on your view via permission_classes
field:
class CompanyDetailView(APIView):
permission_classes = (ViewCompanyPermission, )
def get(self, request, id):
try:
request_data = {}
request_data['request_method'] = request.method
request_data['id'] = id
companies = Company.objects.get(id=id)
status = rest_framework.status.HTTP_200_OK
return Response(companies, status)
如果要复制 permission_required
行为,可以执行以下操作:
In case you want to replicas the permission_required
behavior, you could do something like this:
from rest_framework import permissions
from rest_framework import exceptions
def permission_required(permission_name, raise_exception=False):
class PermissionRequired(permissions.BasePermission):
def has_permission(self, request, view):
if not request.user.has_perm(permission_name):
if raise_exception:
raise exceptions.PermissionDenied("Don't have permission")
return False
return True
return PermissionRequired
然后您可以像使用它一样
Then you can use it like:
class CompanyDetailView(APIView):
permission_classes = (permission_required("api.view_company", raise_exception=True), )
# ...
这篇关于需要Django权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!