Django休息框架的权限类ViewView方法 [英] Django rest framework permission_classes of ViewSet method
问题描述
class UserViewSet(viewsets.ModelViewSet) :
queryset = User.objects.all()
serializer_class = UserSerializer
def create(self,request,* args,** kwargs):
return super (UserViewSet,self).create(request,* args,** kwargs)
@ decorators.permission_classes(permissions.IsAdminUser)
def list(self,request,* args,** kwargs)
return super(UserViewSet,self).list(request,* args,** kwargs)
在上面的代码中,我想允许未经身份验证的用户注册(用户创建),但是我不想让列表用户给任何人,仅供工作人员使用。
在 docs 中,我看到了使用 permission_cla保护API视图(而不是ViewSet方法) sses
装饰器,我看到为整个ViewSet设置了一个权限类。但是它似乎不能覆盖ViewSet方法。有什么办法才能将它们用于某些端点?
我认为没有内置的解决方案。但是您可以通过覆盖 get_permissions
方法来实现此目的:
class UserViewSet (viewets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes_by_action = {'create':[AllowAny]
'list ':[IsAdminUser]}
def create(self,request,* args,** kwargs):
return super(UserViewSet,self).create(request,* args,**
def list(self,request,* args,** kwargs):
return super(UserViewSet,self).list(request,* args,** kwargs)
def get_permissions(self):
try:
#return permission_classes取决于`action`
return [permission()for permission in self.permission_classes_by_action [self.action]
除了KeyError:
#action没有设置return default permission_classes
return [p ermission()for self.permission_classes]
I'm writing a rest API with the Django REST framework, and I'd like to protect certain endpoints with permissions. The permission classes look like they provide an elegant way to accomplish this. My problem is that I'd like to use different permission classes for different overridden ViewSet methods.
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
def create(self, request, *args, **kwargs):
return super(UserViewSet, self).create(request, *args, **kwargs)
@decorators.permission_classes(permissions.IsAdminUser)
def list(self, request, *args, **kwargs):
return super(UserViewSet, self).list(request, *args, **kwargs)
In the code above I'd like to allow registration (user creation) for unauthenticated users too, but I don't want to let list users to anyone, just for staff.
In the docs I saw examples for protecting API views (not ViewSet methods) with the permission_classes
decorator, and I saw setting a permission classes for the whole ViewSet. But it seems not working on overridden ViewSet methods. Is there any way to only use them for certain endpoints?
I think there is no inbuilt solution for that. But you can achieve this by overriding the get_permissions
method:
class UserViewSet(viewsets.ModelViewSet):
queryset = User.objects.all()
serializer_class = UserSerializer
permission_classes_by_action = {'create': [AllowAny]
'list': [IsAdminUser]}
def create(self, request, *args, **kwargs):
return super(UserViewSet, self).create(request, *args, **kwargs)
def list(self, request, *args, **kwargs):
return super(UserViewSet, self).list(request, *args, **kwargs)
def get_permissions(self):
try:
# return permission_classes depending on `action`
return [permission() for permission in self.permission_classes_by_action[self.action]
except KeyError:
# action is not set return default permission_classes
return [permission() for permission in self.permission_classes]
这篇关于Django休息框架的权限类ViewView方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!