DjangoRestFramework-has_权限错误重写has_object_权限
这是我的许可:DjangoRestFramework-has_权限错误重写has_object_权限,django,django-rest-framework,django-permissions,Django,Django Rest Framework,Django Permissions,这是我的许可: class IsCreationOrAuthenticatedOrIsOwnerOrWatchOrReadOnly(permissions.BasePermission): """ Allow only the owner (and admin) of the object to make changes (i.e. do PUT, PATCH, DELETE and POST requests. Allow all other users Rea
class IsCreationOrAuthenticatedOrIsOwnerOrWatchOrReadOnly(permissions.BasePermission):
"""
Allow only the owner (and admin) of the object to make changes (i.e.
do PUT, PATCH, DELETE and POST requests. Allow all other users
ReadOnly or Follow options. This is for UserViewSet. Allow unauthenticated users to
create objects.
"""
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
return False
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
def has_object_permission(self, request, view, obj):
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
问题是,经过身份验证的用户无法放置、修补或删除他们自己的帐户,因为in中有_权限
它说:
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
但是,此处的PUT、PATCH和DELETE取决于if
obj.owner==request.user
(取决于对象)。所以,当拥有\u权限
无权访问对象,因此不应允许任何放置、修补和删除时,我如何允许用户仅放置、修补和删除其帐户(因为这一切都取决于obj.owner==request.user
为什么不禁用拥有权限
并修改拥有对象权限
以检查帖子
def has_object_permission(self, request, view, obj):
if request.method == 'POST':
return True
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
为什么不从
has\u permission
中删除检查,并允许使用不安全的方法?无论如何,它们都将在has\u object\u permission
中被检查。@RetoAebersold因为创建对象和获取对象列表不是由has\u object\u permission
处理的,而是由has\u permission
处理的。我需要进行修改确保未经身份验证的用户无法获得对象列表,但可以访问POST(创建对象)。对于存在此问题的任何其他用户,请检查