Django的REST框架 - 可瀏覽API刪除刪除

Question

我有以下看法：

def retrieve(self, request, pk=None, **kwargs): 
    try: 
     instance = self.get_object() 
     self.check_object_permissions(self.request, instance) 
     serializer = PasswordFolderSerializer(instance, context={'request': request}) 
     return Response(serializer.data) 
    except Http404: 
     return Response(status=status.HTTP_404_NOT_FOUND) 

當沒有登錄我會得到一個403，這是很好，不過「刪除」按鈕仍顯示可瀏覽的API中。我如何擺脫這個？這裏是我的權限：

class CanRetrievePasswordFolder(permissions.DjangoObjectPermissions): 

    def has_permission(self, request, view): 
     if request.user is None: 
      return False 
     else: 
      return True 

    def has_object_permission(self, request, view, obj): 
     access_levels = ['Owner', 'Admin', 'Read'] 
     if get_permission_level(request, obj) is None: 
      return False 
     else: 
      level = AccessLevel.objects.get(pk=get_permission_level(request, obj).level_id).name 
      if request.method in permissions.SAFE_METHODS: 
       return True 
      else: 
       for access in access_levels: 
        if level == access: 
         return True 
        else: 
         return False 

Answer 1

很愚蠢，我不得不IsAuthenticated添加到我的權限在視圖元組，像這樣：

permission_classes_by_action = {'create': [CanCreatePasswordFolder, IsAuthenticated], 
           'list': [CanListPasswordFolder, IsAuthenticated], 
           'retrieve': [CanRetrievePasswordFolder, IsAuthenticated], 
           'partial_update': [CanUpdatePasswordFolder, IsAuthenticated], 
           'update': [CanUpdatePasswordFolder, IsAuthenticated], 
           'destroy': [CanDestroyPasswordFolder, IsAuthenticated]}