这是我的许可:
class IsCreationOrAuthenticatedOrIsOwnerOrWatchOrReadOnly(permissions.BasePermission):
"""
Allow only the owner (and admin) of the object to make changes (i.e.
do PUT, PATCH, DELETE and POST requests. Allow all other users
ReadOnly or Follow options. This is for UserViewSet. Allow unauthenticated users to
create objects.
"""
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
return False
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
def has_object_permission(self, request, view, obj):
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
问题是经过身份验证的用户无法 PUT、PATCH 或 DELETE 自己的帐户,因为在 has_permission
中显示:
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
但是,这里的 PUT、PATCH 和 DELETE 取决于是否 obj.owner == request.user
(这取决于对象)。那么,当 has_permission
无权访问对象时,如何允许用户仅 PUT、PATCH 和 DELETE 其帐户,因此不应允许任何 PUT、PATCH 和 DELETE(因为这完全取决于是否obj.owner == request.user
。
最佳答案
为什么不禁用 has_permissions
并修改 has_object_permission
来检查 POST 呢?
def has_object_permission(self, request, view, obj):
if request.method == 'POST':
return True
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
关于DjangoRestFramework - has_permission 错误地覆盖 has_object_permission,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33489516/