我有一个用于用户视图的private操作装饰器。我希望只有有问题的用户才能访问该操作。
# views.py
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(self, request, pk):
user = get_object_or_404(get_user_model(), pk=pk)
data = UserPrivateSerializer(user).data
return Response(data, status=status=HTTP_200_OK)
# permissions.py
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return obj == request.user
然而,看起来任何人都可以执行我的private操作——即使我明确声明IsSelf为False:
class IsSelf(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
# This has no effect
return False
我错过了什么?
FYI:
只有在视图级has_permission(...)检查已经通过的情况下,才会调用实例级has_object_permission(...)方法。由于它是从BasePermission继承的,所以has_permission(...)已经返回了True的值。
当您调用GenericAPIView的.get_object()方法时,将调用has_object_permission(...)方法。
class UserViewSet(viewsets.ModelViewSet):
queryset = get_user_model().objects.all()
serializer_class = UserSerializer
@action(detail=True, permission_classes=[IsSelf])
def private(self, request, *args, **kwargs):
user = self.get_object()
data = UserPrivateSerializer(user).data
return Response(data, status=status.HTTP_200_OK)