使用django guardian for djangorestframework时权限不起作用
我试图使用django guardian将对象级权限添加到django REST项目中,但我得到了 HTTP 403禁止 允许:获取、发布、头、选项 内容类型:application/json 更改:接受 { “详细信息”:“您没有执行此操作的权限。” } 用户joe已登录 settings.py:使用django guardian for djangorestframework时权限不起作用,django,django-rest-framework,django-guardian,Django,Django Rest Framework,Django Guardian,我试图使用django guardian将对象级权限添加到django REST项目中,但我得到了 HTTP 403禁止 允许:获取、发布、头、选项 内容类型:application/json 更改:接受 { “详细信息”:“您没有执行此操作的权限。” } 用户joe已登录 settings.py: INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.cont
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'django.contrib.sites',
'guardian',
'rest_framework',
'rest_framework.authtoken',
'rest_auth',
'task.apps.TaskConfig',
]
models.py:
class Task(models.Model):
summary = models.CharField(max_length=32)
content = models.TextField()
reported_by = models.ForeignKey(User, on_delete=models.CASCADE)
created_at = models.DateTimeField(auto_now_add=True)
class Meta:
permissions = (
('view_task', 'View task'),
)
serializers.py:
class TaskSerializer(serializers.ModelSerializer):
class Meta:
model = Task
fields = '__all__'
permissions.py:
class CustomObjectPermissions(permissions.DjangoObjectPermissions):
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
filters.py:
class DjangoObjectPermissionsFilter(BaseFilterBackend):
perm_format = '%(app_label)s.view_%(model_name)s'
shortcut_kwargs = {
'accept_global_perms': False,
}
def __init__(self):
assert 'guardian' in settings.INSTALLED_APPS, (
'Using DjangoObjectPermissionsFilter, '
'but django-guardian is not installed.')
def filter_queryset(self, request, queryset, view):
from guardian.shortcuts import get_objects_for_user
user = request.user
permission = self.perm_format % {
'app_label': queryset.model._meta.app_label,
'model_name': queryset.model._meta.model_name,
}
return get_objects_for_user(
user, permission, queryset,
**self.shortcut_kwargs)
views.py:
class TaskViewSet(viewsets.ModelViewSet):
queryset = Task.objects.all()
serializer_class = TaskSerializer
permission_classes = (CustomObjectPermissions,)
filter_backends = (DjangoObjectPermissionsFilter,)
URL.py:
router = DefaultRouter()
router.register('tasks', TaskViewSet, base_name='tasks')
urlpatterns = router.urls
但它在贝壳里很好用
> python manage.py shell -i ipython
In [1]: from django.contrib.auth.models import User
In [2]: joe = User.objects.all().filter(username="joe")[0]
In [3]: import task.models as task_models
In [4]: task = task_models.Task.objects.all()[0]
In [5]: joe.has_perm('view_task', task)
Out[5]: True
首先是API,然后是它们是否适用。由于自定义权限类要求用户具有读取权限,因此需要确保已为Joe分配了模型级读取权限。如果您选中joe.has\u perm('tasks.view\u task')
,我敢打赌它会返回False
。要解决此问题,您需要直接为其用户分配权限,或者将其添加到已分配适当权限的组中
另外,请注意,Django 2.1最近添加了权限,不必再将其添加到模型中 首先是API,然后是API是否适用。由于自定义权限类要求用户具有读取权限,因此需要确保已为Joe分配了模型级读取权限。如果您选中joe.has\u perm('tasks.view\u task')
,我敢打赌它会返回False
。要解决此问题,您需要直接为其用户分配权限,或者将其添加到已分配适当权限的组中
另外,请注意,Django 2.1最近添加了权限,不必再将其添加到模型中