Django REST drf嵌套路由器不触发权限检查
我将drf嵌套路由器与ModelViewSet一起使用。一切正常,但是,没有对资源/对象执行权限检查 处理单个资源/非嵌套url时,将执行权限检查 有什么我遗漏的吗Django REST drf嵌套路由器不触发权限检查,django,permissions,django-rest-framework,drf-nested-routers,Django,Permissions,Django Rest Framework,Drf Nested Routers,我将drf嵌套路由器与ModelViewSet一起使用。一切正常,但是,没有对资源/对象执行权限检查 处理单个资源/非嵌套url时,将执行权限检查 有什么我遗漏的吗 class CommentViewSet(viewsets.ModelViewSet): permission_classes = [IsAuthenticated, permissions.CanCreateEditViewDeleteComment] def get_
class CommentViewSet(viewsets.ModelViewSet):
permission_classes = [IsAuthenticated,
permissions.CanCreateEditViewDeleteComment]
def get_serializer_class(self, *args, **kwargs):
return CommentSerializer
def list(self, request, article_pk=None):
queryset = Comment.objects.select_related('article','user').filter(article=article_pk).prefetch_related('likes')
page = self.paginate_queryset(queryset)
if page is not None:
serializer = self.get_serializer(page, many=True)
return self.get_paginated_response(serializer.data)
serializer = self.get_serializer(queryset, many=True)
return Response(serializer.data)
def retrieve(self, request, pk=None, article_pk=None):
queryset = Comment.objects.select_related('article', 'user').filter(pk=pk, article=article_pk).prefetch_related(
'likes')
comment = get_object_or_404(queryset, pk=pk)
serializer = self.get_serializer(comment)
return Response(serializer.data)
好的,在浏览文档之后,有一种方法可以手动调用权限检查 如果您正在编写自己的视图,并且希望强制执行对象级权限,或者如果您在通用视图上重写get_object方法,则需要在检索对象时显式调用该视图上的.check_object_permissions(request,obj)方法 下面是一个代码示例:
def get_object(self):
obj = get_object_or_404(self.get_queryset())
self.check_object_permissions(self.request, obj)
return obj