Django-REST：自定义权限不起作用

Question

我正在尝试使用 this guide

进行自定义权限

views.py

class CustomModelList(generics.ListAPIView):
    queryset = CustomModel.objects.all()
    serializer_class = CustomModelSerializer
    permission_classes = [IsAuthenticatedOrReadOnly, IsCustomOrReadOnly]

    def get(self, request, format=None):
        # some logic

    def post(self, request, format=None):
        # some logic

只是为了实验，我创建了这个权限，无论如何都不要申请

pesmissions.py

class IsCustomOrReadOnly(BasePermission):
    def has_object_permission(self, request, view, obj):
        return False

但是当 POST 请求发送到服务器时它不起作用 -- 我能够创建新的模型实例。

Answer 1

我认为由于您使用的是列表视图，custom object level permissions 不会自动检查。

Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance. If you require object-level filtering of list views, you'll need to filter the queryset separately. See the filtering documentation for more details.

您可以尝试重写 has_permission 方法，看看是否可行，或者手动检查权限。