DjangoRestFramework - 如何正确分离has_permission和has_object_permission [英] DjangoRestFramework - How to properly seperate has_permission and has_object_permission
问题描述
这是我的许可类:
class IsCreationOrFollowOrOwnerOrReadOnly(permissions.BasePermission):
"""
Allow any users to create, get and follow objects. Allow only owners to
PUT, PATCH and DELETE.
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff:
return True
if view.action == 'create':
return True
return False
def has_object_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow':
return True
try:
return obj.owner == request.user
except:
return obj == request.user # If obj Is request.user
要跟随一个对象,你必须使用 FOL低
动作。这是我的观点:
To follow an object, you have to use the follow
action. This is my viewset:
class {ageViewSet(viewsets.ModelViewSet):
queryset = Page.objects.all()
serializer_class = PageSerializer
permission_classes = (IsAuthenticated, IsCreationOrFollowOrOwnerOrReadOnly,)
def perform_create(self, serializer):
serializer.save(owner=self.request.user, location=self.request.user.userextended.location)
@detail_route(methods=['post'])
def follow(self, request, pk=None):
page = self.get_object()
page.users.add(request.user)
return Response(status=status.HTTP_204_NO_CONTENT)
问题是,当我尝试跟随一个对象时,它给了我一个 403_FORBIDDEN
状态码。我假设这是因为在 has_permission
中,我必须添加以下行:
The issue is, when I try to follow an object, it gives me a 403_FORBIDDEN
status code. I'm assuming this is because in has_permission
, I have to add this line:
if view.action=='follow':
return True
即使我添加了这一行,当一个所有者尝试PUT到他自己的对象时,我得到一个 403_FORBIDDEN
错误(这可能是因为在我的 has_permission
方法我没有如果view.action =='update':return True
但PUT,PATCH和DELETE都依赖于对象本身( 如果obj.owner == request.user
)所以如何正确地允许用户进行PUT,PATCH和DELETE,同时允许任何用户FOLLOW对象(FOLLOW也是一个对象级别许可,所以将它放在 has_permission
对我来说没有意义,因为它与对象有关)。
But even if I add that line, I get a 403_FORBIDDEN
error when an owner tries to PUT to his own object (this is probably because in my has_permission
method I don't have if view.action == 'update': return True
but PUT, PATCH and DELETE all depend on the object itself (if obj.owner == request.user
) so how do I properly allow only users to PUT, PATCH and DELETE while allowing any users to FOLLOW objects (FOLLOW is also an object level permission so placing that in has_permission
doesn't make sense to me since it has to do with objects).
推荐答案
你不需要覆盖 has_permission
只需覆盖 has_object_permission
并做如下:
You don't need to override has_permission
. Just override the has_object_permission
and do like:
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS or request.user.is_staff or obj.owner == request.user:
return True
if request.method=='POST':
return True
return False
这样,所有者和工作人员可以执行任何操作。但是用户只能获取,发布和关注。
This way owner and staff can perform any action. But a user can only get, post and follow.
这篇关于DjangoRestFramework - 如何正确分离has_permission和has_object_permission的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!