我怎样才能让 "has_object_permission( )" 工作？

Question

我正在尝试为用户创建对象级权限。我的ddbb模型结构如下：

一位教师拥有一个教室（id_teacher外键）
一个教室拥有一些学生（id_classroom ForeignKey）

我只想让拥有学生注册教室的老师访问学生信息。

这里是API代码和权限代码：

class StudentAPI(RetrieveUpdateAPIView):
    permission_classes = [GetStudentPermission, ]

    def get(self, request):
        student_ = Student.objects.get(username=request.GET['username'])
        s_student_ = StudentSerializer(student_)
        return Response(s_student_.data)

class GetStudentPermission(BasePermission):
    message = 'La información de este estudiante está restringida para usted'

    def has_object_permission(self, request, view, obj):
        cls_ = Classroom.objects.filter(id=obj.id_classroom.id).first()
        tch_ = Teacher.objects.get(classroom=cls_)
        user_ = User.objects.get(id=tch_.id_user.id)
        return bool(user_ == request.user)

似乎权限类根本不起作用，因为我可以访问使用任何用户帐户注册的每个学生的信息。先谢谢你

Answer 1

根据 Custom permissions [DRF docs] 部分中的说明：

The instance-level has_object_permission method will only be called if the view-level has_permission checks have already passed. Also note that in order for the instance-level checks to run, the view code should explicitly call .check_object_permissions(request, obj). If you are using the generic views then this will be handled for you by default. (Function-based views will need to check object permissions explicitly, raising PermissionDenied on failure.)

由于您重写 get 并自己实现 check_object_permissions 永远不会被调用，您可以自己实现：

class StudentAPI(RetrieveUpdateAPIView):
    permission_classes = [GetStudentPermission, ]

    def get(self, request):
        student_ = Student.objects.get(username=request.GET['username'])
        self.check_object_permissions(self.request, student)
        s_student_ = StudentSerializer(student_)
        return Response(s_student_.data)

或者更好的是，您的 get 实现与 RetrieveUpdateAPIView 已有的内置实现没有太大区别，因此您可以放弃覆盖 get 并实际直接使用视图：

class StudentAPI(RetrieveUpdateAPIView):
    queryset = Student.objects.all()
    serializer_class = StudentSerializer
    lookup_field = 'username'
    permission_classes = [GetStudentPermission, ]

我怎样才能让 "has_object_permission( )" 工作？

How can I make "has_object_permission( )" work?

python

django

rest

user-permissions

django-rest-framework