1
我有以下看法:Django的REST框架 - 可瀏覽API刪除刪除
def retrieve(self, request, pk=None, **kwargs):
try:
instance = self.get_object()
self.check_object_permissions(self.request, instance)
serializer = PasswordFolderSerializer(instance, context={'request': request})
return Response(serializer.data)
except Http404:
return Response(status=status.HTTP_404_NOT_FOUND)
當沒有登錄我會得到一個403,這是很好,不過「刪除」按鈕仍顯示可瀏覽的API中。我如何擺脫這個?這裏是我的權限:
class CanRetrievePasswordFolder(permissions.DjangoObjectPermissions):
def has_permission(self, request, view):
if request.user is None:
return False
else:
return True
def has_object_permission(self, request, view, obj):
access_levels = ['Owner', 'Admin', 'Read']
if get_permission_level(request, obj) is None:
return False
else:
level = AccessLevel.objects.get(pk=get_permission_level(request, obj).level_id).name
if request.method in permissions.SAFE_METHODS:
return True
else:
for access in access_levels:
if level == access:
return True
else:
return False