這裏是我的權限類:DjangoRestFramework - 如何正確單獨has_permission和has_object_permission
class IsCreationOrFollowOrOwnerOrReadOnly(permissions.BasePermission):
"""
Allow any users to create, get and follow objects. Allow only owners to
PUT, PATCH and DELETE.
"""
def has_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff:
return True
if view.action == 'create':
return True
return False
def has_object_permission(self, request, view):
if request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow':
return True
try:
return obj.owner == request.user
except:
return obj == request.user # If obj Is request.user
要遵循一個對象,你必須使用follow
行動。這是我的視圖集:
class {ageViewSet(viewsets.ModelViewSet):
queryset = Page.objects.all()
serializer_class = PageSerializer
permission_classes = (IsAuthenticated, IsCreationOrFollowOrOwnerOrReadOnly,)
def perform_create(self, serializer):
serializer.save(owner=self.request.user, location=self.request.user.userextended.location)
@detail_route(methods=['post'])
def follow(self, request, pk=None):
page = self.get_object()
page.users.add(request.user)
return Response(status=status.HTTP_204_NO_CONTENT)
的問題是,當我試圖追隨的對象,它給了我一個403_FORBIDDEN
狀態代碼。我假設這是因爲在has_permission
,我一定要加入這一行:
if view.action=='follow':
return True
但是,即使我再補充一點線,我得到一個403_FORBIDDEN
錯誤時所有者試圖把自己的對象(這是可能是因爲在我的has_permission
方法中,我沒有if view.action == 'update': return True
,但PUT,PATCH和DELETE全部取決於對象本身(if obj.owner == request.user
),所以如何在允許任何用戶加關注對象的情況下只允許用戶輸入PUT,PATCH和DELETE(FOLLOW也是一個對象級別的權限,因此在has_permission
中對我沒有意義,因爲它與對象有關)。