时间戳

首页 > 解决方案 > 我可以打印 has_object_permission 的实例吗?

django - 我可以打印 has_object_permission 的实例吗?

问题描述

我正在尝试使用 django-rest-framework 创建 REST API。我的问题是我可以打印has_object_permission方法的实例,这样我就可以看到那部分发生了什么。我正在尝试只有对象的所有者才能更新和删除该对象,但现在任何人都可以删除或更新任何对象。请告知除了权限之外是否还有其他方法。我们可以通过序列化程序中的检查来完成所有这些工作吗?如果是,那么请也以示例指导我。我将非常感谢。

class ObjectOwnerPermission(BasePermission):

    message = "This object is expired." # custom error message

    def has_object_permission(self, request, view, obj):
        
        if request.user.is_authenticated:
            return True
        return False

        if obj.author == request.user:
            return True
        return False


class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView,ObjectOwnerPermission):
    """This endpoint allows for updating a specific Project by passing in the id of the 
Project to update/Retrieve"""
    permissions_classes = [ObjectOwnerPermission]
    queryset = Project.objects.all()
    serializer_class = serializers.ProjectSerializer

class DeleteProjectAPIView(generics.DestroyAPIView,ObjectOwnerPermission):
    """This endpoint allows for deletion of a specific Project from the database"""
    permissions_classes = [ObjectOwnerPermission]
    queryset = Project.objects.all()
    serializer_class = serializers.ProjectSerializer

标签: djangoserializationdjango-rest-frameworkpermissions

解决方案

您的权限不起作用,因为您在用户通过身份验证时返回TrueObjectOwnerPermission这意味着任何通过身份验证的人都可以通过此权限。

编辑: 在原来的问题permissionS_classes中使用的是什么而不是permission_classes

这是我的固定版本:

class ObjectOwnerPermission(BasePermission):

    message = "This object is expired." # custom error message

    def has_object_permission(self, request, view, obj):    
        return obj.author == request.user


class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView):
    """This endpoint allows for updating a specific Project by passing in the id of the 
Project to update/Retrieve"""
    permission_classes = [IsAuthenticated, ObjectOwnerPermission]
    queryset = Project.objects.all()
    serializer_class = serializers.ProjectSerializer

class DeleteProjectAPIView(generics.DestroyAPIView):
    """This endpoint allows for deletion of a specific Project from the database"""
    permission_classes = [IsAuthenticated, ObjectOwnerPermission]
    queryset = Project.objects.all()
    serializer_class = serializers.ProjectSerializer
  • 不要从您的视图中的权限类继承 - 它应该只用于permission_classes
  • 如果你想链接你的权限,它应该在permission_classes列表中实现
  • 权限类是从左到右读取的,这意味着IsAuthenticated在您的课程之前首先检查(在您的课程中,您确定用户已登录)

推荐阅读