【发布时间】:2018-09-19 10:53:37
【问题描述】:
我的文件如下:
BusinessActionsPermission
class BusinessActionsPermission(BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_permission(self, request, view):
return True
def has_object_permission(self, request, view, obj):
business_obj = view.get_business_obj()
if request.method in ['GET']:
return request.user.has_perm('act_on_business', business_obj)
if request.method in ['PUT', 'PATCH', 'DELETE']:
return request.user.has_perm('act_on_business', business_obj)
return False
EmployeeViewSet
class EmployeeViewSet(viewsets.ModelViewSet):
serializer_class = EmployeeSerializer
permission_classes = (permissions.IsAuthenticated, BusinessActionsPermission)
def get_business_obj(self, **kwargs):
return Business.objects.filter(pk=self.kwargs['business_id'])
def get_queryset(self, **kwargs):
return Employee.objects.filter(business__id=self.kwargs['business_id'])
def create(self, request, *args, **kwargs):
business = Business.objects.get(pk=self.kwargs['business_id'])
employee = Employee(business=business)
serializer = EmployeePOSTSerializer(employee, data=request.data)
if serializer.is_valid():
serializer.save()
return Response(serializer.data)
else:
return Response(serializer.errors)
BusinessActionsPermission 不起作用,同时调用 POST 方法以通过 EmployeeViewSet 创建新的 Employee。没有act_on_busienss 的用户可以post 并创建员工。
Django Rest 框架文档here 说:
出于性能原因,通用视图在返回对象列表时不会自动将对象级别权限应用于查询集中的每个实例。
这很好。由于BusinessActionsPermission 正在为detailed retrievals with pk 工作。但不适用于post,它不是list。
请帮忙。
注意:上面的 BusinessActionsPermission 非常适合详细视图,并且不检查列表视图,这在文档中提到非常好。但是post呢??
【问题讨论】:
标签: django python-3.x django-models django-rest-framework