我已经设置了更新方法的权限,只允许Admin用户更新用户信息,但由于某些原因,当我以普通用户身份登录时,我也可以更新用户信息。我该怎么做才能避免这种情况?其他方法也可以。
class CustomUserViewSet(viewsets.ModelViewSet):
queryset = models.CustomUser.objects.all()
serializer_class = serializers.CustomUserSerializer
parser_classes = [JSONParser]
permission_classes_by_action = {
'create': [IsAdminUser], 'list': [IsAdminUser], 'retrieve': [IsAuthenticated],
'update': [IsAdminUser], <--already set here
'destroy': [IsAdminUser,]
}
def update(self, request, *args, **kwargs):
return super(CustomUserViewSet, self).update(request, *args, **kwargs)
# some other methods
def get_permissions(self):
try:
# return permission_classes depending on `action`
return [permission() for permission in self.permission_classes_by_action[self.action]]
except KeyError:
# action is not set return default permission_classes
return [permission() for permission in self.permission_classes]
在DRF ViewSets中,HTTP PATCH方法映射为操作名称partial_update。因此,您必须将permission_classes_by_action属性更新为
permission_classes_by_action = {
'create': [IsAdminUser],
'list': [IsAdminUser],
'retrieve': [IsAuthenticated],
'update': [IsAdminUser],
'partial_update': [IsAdminUser],
'destroy': [IsAdminUser, ]
}