DjangoRestFramework - 如何正确分离has_permission和has_object_permission [英] DjangoRestFramework - How to properly seperate has_permission and has_object_permission

问题描述

这是我的许可类：

class IsCreationOrFollowOrOwnerOrReadOnly(permissions.BasePermission):
    """
    Allow any users to create, get and follow objects. Allow only owners to
    PUT, PATCH and DELETE.
    """
    def has_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS or request.user.is_staff:
            return True

        if view.action == 'create':
            return True

        return False

    def has_object_permission(self, request, view):
        if request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow':
            return True

        try:
            return obj.owner == request.user
        except:
            return obj == request.user # If obj Is request.user

要跟随一个对象，你必须使用 FOL低动作。这是我的观点：

To follow an object, you have to use the follow action. This is my viewset:

class {ageViewSet(viewsets.ModelViewSet):
    queryset = Page.objects.all()
    serializer_class = PageSerializer
    permission_classes = (IsAuthenticated, IsCreationOrFollowOrOwnerOrReadOnly,)

    def perform_create(self, serializer):
        serializer.save(owner=self.request.user, location=self.request.user.userextended.location)

    @detail_route(methods=['post'])
    def follow(self, request, pk=None):
        page = self.get_object()    

        page.users.add(request.user)

        return Response(status=status.HTTP_204_NO_CONTENT)

问题是，当我尝试跟随一个对象时，它给了我一个 403_FORBIDDEN 状态码。我假设这是因为在 has_permission 中，我必须添加以下行：

The issue is, when I try to follow an object, it gives me a 403_FORBIDDEN status code. I'm assuming this is because in has_permission, I have to add this line:

if view.action=='follow':
    return True

即使我添加了这一行，当一个所有者尝试PUT到他自己的对象时，我得到一个 403_FORBIDDEN 错误（这可能是因为在我的 has_permission 方法我没有如果view.action =='update'：return True 但PUT，PATCH和DELETE都依赖于对象本身（ 如果obj.owner == request.user ）所以如何正确地允许用户进行PUT，PATCH和DELETE，同时允许任何用户FOLLOW对象（FOLLOW也是一个对象级别许可，所以将它放在 has_permission 对我来说没有意义，因为它与对象有关）。

But even if I add that line, I get a 403_FORBIDDEN error when an owner tries to PUT to his own object (this is probably because in my has_permission method I don't have if view.action == 'update': return True but PUT, PATCH and DELETE all depend on the object itself (if obj.owner == request.user) so how do I properly allow only users to PUT, PATCH and DELETE while allowing any users to FOLLOW objects (FOLLOW is also an object level permission so placing that in has_permission doesn't make sense to me since it has to do with objects).

推荐答案

你不需要覆盖 has_permission 只需覆盖 has_object_permission 并做如下：

You don't need to override has_permission. Just override the has_object_permission and do like:

def has_object_permission(self, request, view, obj):
    if request.method in permissions.SAFE_METHODS or request.user.is_staff or obj.owner == request.user:
        return True

    if request.method=='POST':
        return True

    return False

这样，所有者和工作人员可以执行任何操作。但是用户只能获取，发布和关注。

This way owner and staff can perform any action. But a user can only get, post and follow.

这篇关于DjangoRestFramework - 如何正确分离has_permission和has_object_permission的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！