Django RestFramework IsOwnerOrReadOnly
Django RestFramework IsOwnerOrReadOnly
我创建我的权限 class 每个人都可以读取一个对象,只有管理员可以创建该对象。但是当我注销并尝试创建对象时,权限 class 允许我。我错过了什么?
models.py
class Book(models.Model):
title = models.CharField(max_length=20)
content = models.TextField()
page = models.IntegerField()
views.py
class BookAPIView(
mixins.CreateModelMixin,
generics.ListAPIView):
permission_classes = [IsAdminOrReadOnly]
serializer_class = BookSerializer
queryset = Book.objects.all()
def post(self, request, *args, **kwargs):
return self.create(request, *args, **kwargs)
permissions.py
class IsAdminOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
return True
return request.user.is_staff
您需要覆盖has_permission:
class IsAdminOrReadOnly(permissions.BasePermission):
def has_permission(self, request, view):
if request.method == 'GET':
return True
return request.user.is_staff
has_object_permission 允许您修改一个现有对象。
我创建我的权限 class 每个人都可以读取一个对象,只有管理员可以创建该对象。但是当我注销并尝试创建对象时,权限 class 允许我。我错过了什么?
models.py
class Book(models.Model):
title = models.CharField(max_length=20)
content = models.TextField()
page = models.IntegerField()
views.py
class BookAPIView(
mixins.CreateModelMixin,
generics.ListAPIView):
permission_classes = [IsAdminOrReadOnly]
serializer_class = BookSerializer
queryset = Book.objects.all()
def post(self, request, *args, **kwargs):
return self.create(request, *args, **kwargs)
permissions.py
class IsAdminOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
return True
return request.user.is_staff
您需要覆盖has_permission:
class IsAdminOrReadOnly(permissions.BasePermission):
def has_permission(self, request, view):
if request.method == 'GET':
return True
return request.user.is_staff
has_object_permission 允许您修改一个现有对象。