这是我的权限:
class IsCreationOrAuthenticatedOrIsOwnerOrWatchOrReadOnly(permissions.BasePermission):
"""
Allow only the owner (and admin) of the object to make changes (i.e.
do PUT, PATCH, DELETE and POST requests. Allow all other users
ReadOnly or Follow options. This is for UserViewSet. Allow unauthenticated users to
create objects.
"""
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
return False
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
def has_object_permission(self, request, view, obj):
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
问题是,经过身份验证的用户无法放置、修补或删除自己的帐户,因为在has_permission
中它写道:
return request.method in permissions.SAFE_METHODS or request.user.is_staff or view.action=='follow'
然而,PUT、PATCH和DELETE在这里取决于是否为obj.owner == request.user
(它取决于对象)。那么,当has_permission
没有访问object的权限,因此不允许任何PUT、PATCH和DELETE时,我如何才能允许用户只放置、修补和删除他们的帐户(因为这完全取决于obj.owner == request.user
是否。
发布于 2015-11-04 19:54:39
为什么不禁用has_permissions
并修改has_object_permission
来检查POST呢?
def has_object_permission(self, request, view, obj):
if request.method == 'POST':
return True
if not request.user.is_authenticated():
return False
if request.method in permissions.SAFE_METHODS:
return True
if request.user.is_staff:
return True
if view.action == 'follow':
return True
return obj.owner == request.user
https://stackoverflow.com/questions/33489516
复制相似问题