DjangoRestFramework-如何正确区分has_权限和has_object_权限
这是我的权限类:DjangoRestFramework-如何正确区分has_权限和has_object_权限,django,django-rest-framework,django-permissions,Django,Django Rest Framework,Django Permissions,这是我的权限类: class IsCreationOrFollowOrOwnerOrReadOnly(permissions.BasePermission): """ Allow any users to create, get and follow objects. Allow only owners to PUT, PATCH and DELETE. """ def has_permission(self, request, view):
class IsCreationOrFollowOrOwnerOrReadOnly(permissions.BasePermission):
"""
Allow any users to create, get and follow objects. Allow only owners to
PUT, PATCH and DELETE.
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff:
return True
if view.action == 'create':
return True
return False
def has_object_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow':
return True
try:
return obj.owner == request.user
except:
return obj == request.user # If obj Is request.user
要跟随对象,必须使用跟随动作。这是我的视图集:
class {ageViewSet(viewsets.ModelViewSet):
queryset = Page.objects.all()
serializer_class = PageSerializer
permission_classes = (IsAuthenticated, IsCreationOrFollowOrOwnerOrReadOnly,)
def perform_create(self, serializer):
serializer.save(owner=self.request.user, location=self.request.user.userextended.location)
@detail_route(methods=['post'])
def follow(self, request, pk=None):
page = self.get_object()
page.users.add(request.user)
return Response(status=status.HTTP_204_NO_CONTENT)
问题是,当我试图跟踪一个对象时,它会给我一个403_禁止状态代码。我假设这是因为in拥有_权限,我必须添加以下行:
if view.action=='follow':
return True
但是,即使我添加了这一行,当所有者试图将其放入自己的对象时,我也会收到一个403_禁止的错误。这可能是因为在我的has_权限方法中,如果view.action='update':返回True,但是如果obj.owner==request.user,则PUT、PATCH和DELETE都依赖于对象本身。那么,我如何正确地只允许用户放置,在允许任何用户跟随对象的同时进行修补和删除也是一种对象级权限,因此将其放置在“具有”权限中对我来说没有意义,因为它与对象有关。您不需要覆盖“具有”权限。只需覆盖has_object_权限,然后执行以下操作:
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS or request.user.is_staff or obj.owner == request.user:
return True
if request.method=='POST':
return True
return False
这样,所有者和员工可以执行任何操作。但用户只能获取、发布和跟踪