Django Rest Framework 自定义权限的消息未显示

【问题标题】:Django Rest Framework Custom Permission's Message Not ShownDjango Rest Framework 自定义权限的消息未显示
【发布时间】:2019-04-01 19:49:31
【问题描述】:

我正在使用 Django Rest Framework 编写应用程序。

我创建了一个自定义权限。我为自定义权限提供了message 属性,但仍返回默认详细信息。

让我给你我的代码。

permissions.py:

from annoying.functions import get_object_or_None
from rest_framework import permissions

from intquestions.models import IntQuestion

from ..models import Candidate, CandidatePickedIntChoice

CANDIDATE_ALREADY_ANSWERED = "This candidate already answered all questions."


class CandidateAnsweredQuestionsPermission(permissions.BasePermission):
    """
    Permission to check if the candidate has answered all questions.
    Expects candidate's email or UUID in the request's body.
    """
    message = CANDIDATE_ALREADY_ANSWERED

    def has_permission(self, request, view):
        candidate = None
        email = request.data.get("email", None)
        if email:
            candidate = get_object_or_None(Candidate, email=email)
        else:
            uuid = request.data.get("candidate", None)
            if uuid:
                candidate = get_object_or_None(Candidate, uuid=uuid)

        if candidate:
            picked_choices = CandidatePickedIntChoice.objects.filter(
                candidate=candidate
            ).count()
            total_int_questions = IntQuestion.objects.count()

            if picked_choices >= total_int_questions:
                return False

        return True

views.py:

from annoying.functions import get_object_or_None
from rest_framework import generics, status
from rest_framework.response import Response

from ..models import Candidate, CandidatePickedIntChoice
from .permissions import CandidateAnsweredQuestionsPermission
from .serializers import CandidateSerializer


class CandidateCreateAPIView(generics.CreateAPIView):
    serializer_class = CandidateSerializer
    queryset = Candidate.objects.all()
    permission_classes = (CandidateAnsweredQuestionsPermission,)

    def create(self, request, *args, **kwargs):
        candidate = get_object_or_None(Candidate, email=request.data.get("email", None))
        if not candidate:
            serializer = self.get_serializer(data=request.data)
            serializer.is_valid(raise_exception=True)
            self.perform_create(serializer)
            headers = self.get_success_headers(serializer.data)
            return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
        else:
            serializer = self.get_serializer(candidate, data=request.data)
            serializer.is_valid(raise_exception=True)
            return Response(serializer.data, status=status.HTTP_200_OK)

注意:我正在构建的应用程序可以让应聘者回答问题。我之所以这样重写 create 函数,是为了让尚未完成所有问题的候选人仍然能够回答所有问题。

为什么权限消息是默认的"Authentication credentials were not provided."而不是我自己的?

【问题讨论】:

    标签: django permissions django-rest-framework django-permissions django-2.1


    【解决方案1】:

    消息Authentication credentials were not provided. 说,您没有提供凭据。它不同于 凭据错误 消息

    接下来的事情是,BasePermission 类没有属性 message,因此除非您强制,否则它不会使用您的 message 属性。 (Source Code)

    如何显示自定义的PermissionDenied 消息?
    从视图集的 permission_denied() 方法引发的 PermissionDenied 异常 (Source Code)
    所以你的观点应该是,

    from rest_framework import exceptions


class CandidateCreateAPIView(generics.CreateAPIView):
    # your code
    def permission_denied(self, request, message=None):
        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated()
        raise exceptions.PermissionDenied(detail=CANDIDATE_ALREADY_ANSWERED)

    【讨论】:

    • 哇,这太奇怪了。首先,In the docs 就在示例上方,它说message 将提供自定义消息。其次,我在设置中使用AllowAny 作为我的默认权限。那么为什么它会要求提供身份验证凭据呢?我提供的唯一其他权限是我的自定义权限。
    • Here我找到了指定message属性的那一行。
    • 我认为,我的回答部分正确。您是如何向 API 提供凭据的?
    • 再一次,我没有提供任何凭据,因为我的视图权限是AllowAny
    【解决方案2】:

    我也遇到了同样的问题,终于找到重点了:

    不要使用任何身份验证

    REST_FRAMEWORK = {
    # other settings...
    'DEFAULT_AUTHENTICATION_CLASSES': [],
    'DEFAULT_PERMISSION_CLASSES': [],
}

    【讨论】:

      【解决方案3】:

      我遇到了同样的问题,我找到了解决方法,你甚至不需要 AllowAny Permission,只需将 authentication_classes 设置为空数组,例如:

      class TestView(generics.RetrieveAPIView):
        
    renderer_classes = (JSONRenderer,)
    permission_classes = (isSomethingElse,)
    serializer_class = ProductSerializer
    authentication_classes = [] # You still need to declare it even it is empty
    
    
    def retrieve(self, request, *args, **kwargs):
        pass

      希望它仍然有帮助。

      【讨论】:

        【解决方案4】:

        Per Tom Christie(DRF 的作者):

        如果您不想,我建议明确提出PermissionDenied 允许“未经身份验证与权限被拒绝”检查运行。

        他没有继续明确提及最佳地点在哪里。接受的答案似乎在视图中做到了。但是,恕我直言,我觉得最好的地方是自定义 Permission 类本身,因为视图可能有多个权限,其中任何一个都可能失败。

        所以这是我的看法(为简洁起见,代码被截断):

        from rest_framework import exceptions, permissions     # <-- import exceptions

CANDIDATE_ALREADY_ANSWERED = "This candidate already answered all questions."


class CandidateAnsweredQuestionsPermission(permissions.BasePermission):
    message = CANDIDATE_ALREADY_ANSWERED

    def has_permission(self, request, view):
        if picked_choices >= total_int_questions:
            raise exceptions.PermissionDenied(detail=CANDIDATE_ALREADY_ANSWERED)     # <-- raise PermissionDenied here

        return True

        【讨论】:

          猜你喜欢
          • 2015-08-18
          • 2020-09-16
          • 1970-01-01
          • 1970-01-01
          • 1970-01-01
          • 2020-12-18
          • 2014-01-22
          • 2021-06-18
          • 2020-02-02
          相关资源
          最近更新 更多
          热门标签
          Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode