问题描述
我有一个基本的Viewset:
I have a basic Viewset:
class UsersViewSet(viewsets.ModelViewSet):
permission_classes = (OnlyStaff,)
queryset = User.objects.all()
serializer_class = UserSerializer
它绑定到/api/users/
端点.我想创建一个用户个人资料页面,所以我只需要一个特定的用户,因此我可以从/api/users/< id>/
检索它,但是问题是我想要/api/users/< id>/
允许任何人使用,但/api/users/
保留其权限 OnlyStaff
,因此没有人可以访问完整的用户列表.
It is bind to the /api/users/
endpoint. I want to create a user profile page, so I need only a particular user, so I can retrieve it from /api/users/<id>/
, but the problem is that I want /api/users/<id>/
to be allowed to anyone, but /api/users/
to keep its permission OnlyStaff
, so no one can have access to the full list of users.
注意:也许这不是一个很好的实现,因为任何人都可以强行使数据增加 id
,但是我愿意将其从< id>
到< slug>
.
Note: Perhaps it's not such a good implementation, since anyone could brute force the data incremeting the id
, but I'm willing to change it from <id>
to <slug>
.
如何从明细路由中删除权限?
How can I delete the permission from detail route?
谢谢.
推荐答案
覆盖如下的 get_permissions()
方法
Override the get_permissions()
method as below
from rest_framework.permissions import AllowAny
class UsersViewSet(viewsets.ModelViewSet):
permission_classes = (OnlyStaff,)
queryset = User.objects.all()
serializer_class = UserSerializer
def get_permissions(self):
if self.action == 'retrieve':
return [AllowAny(), ]
return super(UsersViewSet, self).get_permissions()
这篇关于DRF Viewset删除详细路线的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!