我可以打印 has_object_permission 的实例吗?
Can i print the instance of has_object_permission?
我正在尝试使用 django-rest-framework 创建 REST API。我的问题是我可以打印 has_object_permission
方法的实例,以便我可以看到那部分发生了什么。我正在尝试只有对象的所有者才能更新和删除该对象,但现在任何人都可以删除或更新任何对象。请告诉除了权限之外是否还有其他方法。我们可以通过序列化程序中的检查来完成所有这些吗?如果是,那么也请举例指导我。不胜感激
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated:
return True
return False
if obj.author == request.user:
return True
return False
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView,ObjectOwnerPermission):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView,ObjectOwnerPermission):
"""This endpoint allows for deletion of a specific Project from the database"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
您的权限不起作用,因为当用户通过身份验证时,您的 return True
在您的 ObjectOwnerPermission
中,这意味着任何通过身份验证的人都可以通过此权限。
编辑:
在原来的问题中 permissionS_classes
whas used instead of permission_classes
这是我的固定版本:
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
return obj.author == request.user
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView):
"""This endpoint allows for deletion of a specific Project from the database"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
- 请勿在您的视图中继承权限 class - 它应该仅在
permission_classes
中使用
- 如果你想链接你的权限,应该在
permission_classes
列表 中实现
- permission classes 是从左到右读取的,这意味着
IsAuthenticated
在 class 之前先被检查(在 class 中你确定用户是登录)
我正在尝试使用 django-rest-framework 创建 REST API。我的问题是我可以打印 has_object_permission
方法的实例,以便我可以看到那部分发生了什么。我正在尝试只有对象的所有者才能更新和删除该对象,但现在任何人都可以删除或更新任何对象。请告诉除了权限之外是否还有其他方法。我们可以通过序列化程序中的检查来完成所有这些吗?如果是,那么也请举例指导我。不胜感激
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated:
return True
return False
if obj.author == request.user:
return True
return False
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView,ObjectOwnerPermission):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView,ObjectOwnerPermission):
"""This endpoint allows for deletion of a specific Project from the database"""
permissions_classes = [ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
您的权限不起作用,因为当用户通过身份验证时,您的 return True
在您的 ObjectOwnerPermission
中,这意味着任何通过身份验证的人都可以通过此权限。
编辑:
在原来的问题中 permissionS_classes
whas used instead of permission_classes
这是我的固定版本:
class ObjectOwnerPermission(BasePermission):
message = "This object is expired." # custom error message
def has_object_permission(self, request, view, obj):
return obj.author == request.user
class RetrieveUpdateProjectAPIView(generics.RetrieveUpdateAPIView):
"""This endpoint allows for updating a specific Project by passing in the id of the
Project to update/Retrieve"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
class DeleteProjectAPIView(generics.DestroyAPIView):
"""This endpoint allows for deletion of a specific Project from the database"""
permission_classes = [IsAuthenticated, ObjectOwnerPermission]
queryset = Project.objects.all()
serializer_class = serializers.ProjectSerializer
- 请勿在您的视图中继承权限 class - 它应该仅在
permission_classes
中使用
- 如果你想链接你的权限,应该在
permission_classes
列表 中实现
- permission classes 是从左到右读取的,这意味着
IsAuthenticated
在 class 之前先被检查(在 class 中你确定用户是登录)