我有以下设置:
允许
def get_permission_level(request, obj):
try:
level = PasswordListACL.objects.get(list=obj, user=request.user)
except PasswordListACL.DoesNotExist:
level = None
return level
class IsPasswordListOwner(permissions.DjangoObjectPermissions):
def has_permission(self, request, view):
return True
def has_object_permission(self, request, view, obj):
print(get_permission_level(request, obj))
if get_permission_level(request, obj) == None:
print('false')
return False
else:
level = AccessLevel.objects.get(pk=get_permission_level(request, obj).level_id).name
if level == 'Owner':
return True
else:
return False
我可以通过我的print('false')确认权限正在行动,并且它正在返回正确的值(我期望False),但是该视图仍在返回数据而不是403。
views.py
class PasswordListViewSet(viewsets.ModelViewSet):
queryset = PasswordList.objects.all()
serializer_class = PasswordListSerializer
permission_classes = (IsPasswordListOwner,)
def list(self, request):
self.permission_classes = [IsPasswordListOwner, ]
queryset = self.get_queryset().filter(passwordlistacl__user=request.user)
serializer = PasswordListSerializer(queryset, many=True, context={'request': request})
return Response(serializer.data)
def retrieve(self, request, pk=None):
self.permission_classes = [IsPasswordListOwner, ]
queryset = self.get_queryset()
if get_object_or_404(queryset, pk=pk):
password = get_object_or_404(queryset, pk=pk)
else:
pass
serializer = PasswordListSerializer(password, context={'request': request})
return Response(serializer.data)
编辑 - 更改has_permission的返回确认我的has_object_permission?
这样做给我403(正确):
def has_permission(self, request, view):
return False
文档状态:
如果您正在编写自己的视图并想要执行对象级别的权限,或者如果您在通用视图上覆盖get_object方法,则您需要在上述.check_object_permissions(request,obj)方法上的.check_object_permissions(obj)方法在您检索对象的位置查看。
因此,由于您没有调用get_object(),您需要在某个时候调用self.check_object_permissions(self.request, obj)。