has_object_permission 不适用于细节动作装饰器?
has_object_permission not working for detail action decorator?
我有一个用于用户视图的 private 动作装饰器。我希望该操作仅供相关用户访问。
# views.py
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(self, request, pk):
user = get_object_or_404(get_user_model(), pk=pk)
data = UserPrivateSerializer(user).data
return Response(data, status=status=HTTP_200_OK)
# permissions.py
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
但是,看起来任何人都可以参加我的 private 操作 - 即使我明确声明 IsSelf 为 False:
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
# This has no effect
return False
我错过了什么?
仅供参考:
仅当视图级 has_permission(...) 检查已经通过时,才会调用实例级 has_object_permission(...) 方法。由于它继承自 BasePermission,has_permission(...) 已经返回 True 值。
当您调用 .get_object()[时,将调用 has_object_permission(...) 方法=32=] GenericAPIView.
方法
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(<b>self, request, *args, **kwargs</b>):
<b>user = self.get_object()</b>
data = UserPrivateSerializer(user).data
return Response(data, status=status.HTTP_200_OK)
我有一个用于用户视图的 private 动作装饰器。我希望该操作仅供相关用户访问。
# views.py
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(self, request, pk):
user = get_object_or_404(get_user_model(), pk=pk)
data = UserPrivateSerializer(user).data
return Response(data, status=status=HTTP_200_OK)
# permissions.py
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
但是,看起来任何人都可以参加我的 private 操作 - 即使我明确声明 IsSelf 为 False:
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
# This has no effect
return False
我错过了什么?
仅供参考:
仅当视图级 has_permission(...) 检查已经通过时,才会调用实例级 has_object_permission(...) 方法。由于它继承自 BasePermission,has_permission(...) 已经返回 True 值。
当您调用 .get_object()[时,将调用 has_object_permission(...) 方法=32=] GenericAPIView.
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(<b>self, request, *args, **kwargs</b>):
<b>user = self.get_object()</b>
data = UserPrivateSerializer(user).data
return Response(data, status=status.HTTP_200_OK)