1
這是我的權限:DjangoRestFramework - has_permission錯誤地覆蓋has_object_permission
class IsCreationOrAuthenticatedOrIsOwnerOrWatchOrReadOnly(permissions.BasePermission):
"""
Allow only the owner (and admin) of the object to make changes (i.e.
do PUT, PATCH, DELETE and POST requests. Allow all other users
ReadOnly or Follow options. This is for UserViewSet. Allow unauthenticated users to
create objects.
"""
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
return False
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
def has_object_permission(self, request, view, obj):
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
的問題是,經過身份驗證的用戶無法PUT,PATCH或刪除自己的帳戶,因爲在has_permission它說:
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
然而,PUT,PATCH和DELETE在這裏取決於是否obj.owner == request.user(取決於對象)。那麼,如何讓用戶PUT,PATCH和DELETE時has_permission沒有訪問對象只有他們的帳戶,因此不應該允許任何PUT,PATCH和DELETE(因爲這一切都取決於是否obj.owner == request.user。
你爲什麼不從'has_permission'刪除檢查,並允許不安全的方法嗎?他們會在'has_object_permission'反正檢查 –
@RetoAebersold由於創建對象和獲取對象列表不是由'has_object_permission'處理的,它由'has_permission'處理。 nd我需要確保未經身份驗證的用戶無法獲取對象列表,但可以訪問POST(創建對象)。 – user2719875