Django的REST框架：幫助的對象級別權限

Question

按照本教程：

http://django-rest-framework.org/tutorial/1-serialization.html

通過http://django-rest-framework.org/tutorial/4-authentication-and-permissions.html

我有這樣的代碼：

# models.py 
class Message(BaseDate): 
    """ 
    Private Message Model 
    Handles private messages between users 
    """ 
    status = models.SmallIntegerField(_('status'), choices=choicify(MESSAGE_STATUS)) 
    from_user = models.ForeignKey(User, verbose_name=_('from'), related_name='messages_sent') 
    to_user = models.ForeignKey(User, verbose_name=_('to'), related_name='messages_received') 
    text = models.TextField(_('text')) 
    viewed_on = models.DateTimeField(_('viewed on'), blank=True, null=True) 


# serialisers.py 
class MessageSerializer(serializers.ModelSerializer): 
    from_user = serializers.Field(source='from_user.username') 
    to_user = serializers.Field(source='to_user.username') 

    class Meta: 
     model = Message 
     fields = ('id', 'status', 'from_user', 'to_user', 'text', 'viewed_on') 


# views.py 
from permissions import IsOwner 

class MessageDetail(generics.RetrieveUpdateDestroyAPIView): 
    model = Message 
    serializer_class = MessageSerializer 
    authentication_classes = (TokenAuthentication, SessionAuthentication) 
    permission_classes = (permissions.IsAuthenticated, IsOwner) 


# permissions.py 
class IsOwner(permissions.BasePermission): 
    """ 
    Custom permission to only allow owners of an object to edit or delete it. 
    """ 

    def has_permission(self, request, view, obj=None): 
     # Write permissions are only allowed to the owner of the snippet 
     return obj.from_user == request.user 


# urls.py 
urlpatterns = patterns('', 
    url(r'^messages/(?P<pk>[0-9]+)/$', MessageDetail.as_view(), name='api_message_detail'), 
) 

然後打開API的URL我得到這個錯誤：

**AttributeError at /api/v1/messages/1/ 
'NoneType' object has no attribute 'from_user'** 

Traceback: 
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/core/handlers/base.py" in get_response 
    111.       response = callback(request, *callback_args, **callback_kwargs) 
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/views/generic/base.py" in view 
    48.    return self.dispatch(request, *args, **kwargs) 
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/views/decorators/csrf.py" in wrapped_view 
    77.   return view_func(*args, **kwargs) 
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in dispatch 
    363.    response = self.handle_exception(exc) 
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in dispatch 
    351.    self.initial(request, *args, **kwargs) 
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in initial 
    287.   if not self.has_permission(request): 
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in has_permission 
    254.    if not permission.has_permission(request, self, obj): 
File "/var/www/sharigo/sharigo/apps/sociable/permissions.py" in has_permission 
    17.   return obj.from_user == request.user 

Exception Type: AttributeError at /api/v1/messages/1/ 
Exception Value: 'NoneType' object has no attribute 'from_user' 

好像None被作爲參數「obj」的值傳遞給isOwner.has_permission（）。 我在做什麼錯？我想我嚴格遵循了教程。

Answer 1

當has_permission()被調用obj=None它應該返回用戶是否有權限任何這種類型的對象。所以你應該在沒有通過時處理這種情況。

你的代碼應該是這樣的：

def has_permission(self, request, view, obj=None): 
    # Write permissions are only allowed to the owner of the snippet 
    return obj is None or obj.from_user == request.user 

Answer 2

使用功能has_object_permission而不是has_permission。

例如：

def has_object_permission(self, request, view, obj=None): 
    return obj.from_user == request.user 

，並調用函數check_object_permissions內的get_object的意見

def get_object(self): 
    obj = get_object_or_404(self.get_queryset()) 
    self.check_object_permissions(self.request, obj) 
    return obj