我创建了权限类,每个人都可以读取对象,只有管理员创建对象。但当我注销并尝试创建对象时,权限类允许我。我错过了什么?
models.py
class Book(models.Model):
title = models.CharField(max_length=20)
content = models.TextField()
page = models.IntegerField()
views.py
class BookAPIView(
mixins.CreateModelMixin,
generics.ListAPIView):
permission_classes = [IsAdminOrReadOnly]
serializer_class = BookSerializer
queryset = Book.objects.all()
def post(self, request, *args, **kwargs):
return self.create(request, *args, **kwargs)
permissions.py
class IsAdminOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method == 'GET':
return True
return request.user.is_staff
您需要覆盖has_permission
:
class IsAdminOrReadOnly(permissions.BasePermission):
def has_permission(self, request, view):
if request.method == 'GET':
return True
return request.user.is_staff
has_object_permission
允许您修改一个现有对象。