问题描述

我试图限制用户对对象的访问。只有创作者才能修改对象。为了这个目的，就像他们在教程中所说的那样，我写了

I'm trying to limit the access to objects for users. Only creaters should modify objects. For that purpose like they say in tutorial I've written

class IsOwnerOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return False

并将其添加到permission_classes 。但是任何用户仍然可以修改任何对象。
如果我添加方法

and added it to permission_classes. But still any user can modify any object.If I add method

    def has_permission(self, request, view):
        return False

没有人可以做任何事情。所以所有行为都由唯一的没有提供任何方式来处理每个对象权限的has_permission方法控制。
那么我做错了什么？这里是请求处理程序的代码

nobody can do anything. So all behaviour is controlled by the only has_permission method that doesn't provide any way to handle per object permissions.So am I doing something wrong? Here's the code of request handler

class ProblemsHandler(APIView):

    permission_classes = (
        IsOwnerOrReadOnly,
        permissions.IsAuthenticatedOrReadOnly,
    )

    def pre_save(self, request, problem):
        problem.author = request.user

    def get_object(self, request, pk, format):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            serializer = ProblemsSerializer(problem)
            return Response(serializer.data, status=HTTP_200_OK)
        except ProblemsModel.DoesNotExist:
            raise Http404

    def get_list(self, request, format):
        problems = ProblemsModel.objects.all()
        serializer = ProblemsSerializer(problems, many=True)
        return Response(serializer.data, status=HTTP_200_OK)

    def get(self, request, pk=None, format=None):
        if pk:
            return self.get_object(request, pk, format)
        else:
            return self.get_list(request, format)

    def post(self, request, format=None):
        serializer = ProblemsSerializer(data=request.DATA)
        if serializer.is_valid():
            self.pre_save(request, serializer.object)
            serializer.save()
            return Response(serializer.data, status=HTTP_201_CREATED)
        else:
            return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)

    def put(self, request, pk, format=None):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            serializer = ProblemsSerializer(problem, data=request.DATA)
            if serializer.is_valid():
                self.pre_save(request, serializer.object)
                serializer.save()
                return Response(serializer.data, status=HTTP_200_OK)
            else:
                return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
        except ProblemsModel.DoesNotExist:
            raise Http404

    def delete(self, request, pk, format=None):
        try:
            problem = ProblemsModel.objects.get(pk=pk)
            problem.delete()
            return Response(status=HTTP_204_NO_CONTENT)
        except ProblemsModel.DoesNotExist:
            raise Http404

推荐答案

权限检查对象由DRF在方法 APIView.check_object_permissions 中完成。

the permission-checks for objects are done by DRF in the method APIView.check_object_permissions.

由于您不使用 GenericAPIView ，您可以定义自己的 get_object 方法，您必须自己调用 check_object_permissions 。由于您误用了get_object，您必须检查GET（单），PUT和DELETE

Since you don't use the GenericAPIView, you define your own get_object method and you have to call check_object_permissions yourself. Since you are mis-using get_object a bit, you have to check for GET (single), PUT and DELETE

self.check_object_permissions(self.request, obj)

也许更好看一下，因为您的用例看起来很像它们。通常 get_object 应该只返回一个对象并检查权限。

Perhaps have a better look at the DRF Generic Views, since your use-case looks much like them. Normally get_object should only return an object and check the permissions.