use*_*845 3 python django permissions django-rest-framework
我正在使用 Django 和 Django-Rest-Framework 为一个小型学校相关项目编写 API。我正在尝试找出权限。
我正在使用 APIView 作为我的视图,并且希望为每个处理程序方法设置不同的权限,而无需编写更多视图。
这是我对博客模块的看法之一:
(此视图用于/posts/)
from .serializers import *
from django.db.models import Case, When
from rest_framework.views import APIView
from rest_framework.response import Response
from rest_framework.decorators import permission_classes
from rest_framework import status, permissions
# Create your views here.
class PostList(APIView):
"""
API Endpoint to List Posts
METHODS: GET, POST
"""
@permission_classes([permissions.AllowAny,])
def get(self, request, format=None):
posts = Post.objects.all()
serializer = PostSerializer(posts, many=True)
return Response(serializer.data, status=status.HTTP_200_OK)
@permission_classes([permissions.IsAuthenticated])
def post(self, request, format=None):
serializer = PostCreationSerializer(data=request.data)
if serializer.is_valid():
obj = serializer.save()
data = serializer.data
data["id"] = obj.id
return Response(data, status=status.HTTP_201_CREATED)
return Response(status=status.HTTP_400_BAD_REQUEST)
当前的默认值是permissions.IsAuthenticated,但更改它不一定有帮助,因为我仍然需要单独更改一些权限。
因此,我应该能够在未经身份验证的情况下发出 GET 请求/posts/并获取所有帖子的列表,而我应该从对 的 POST 请求获取 401 /posts/。但是,即使 GET 请求也会返回 401 状态代码。
执行此操作的正确方法是什么...如果有的话。
编辑:虽然我提供了自己问题的答案,但我仍然想知道是否有更正确的方法来解决这个问题。
我找到了一个解决方案,尽管我不确定这是最好的方法。
首先,我们创建一个APIView的子类:
from rest_framework.views import APIView
class CustomAPIView(APIView):
def get_permissions(self):
# Instances and returns the dict of permissions that the view requires.
return {key: [permission() for permission in permissions] for key, permissions in self.permission_classes.items()}
def check_permissions(self, request):
# Gets the request method and the permissions dict, and checks the permissions defined in the key matching
# the method.
method = request.method.lower()
for permission in self.get_permissions()[method]:
if not permission.has_permission(request, self):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
然后我们用它CustomAPIView来写出视图,并使用字典来表示permission_classes键是方法。
例子:
# Create your views here.
class PostList(CustomAPIView):
"""
API Endpoint to List Posts
METHODS: GET, POST
"""
permission_classes = {"get": [permissions.AllowAny], "post": [permissions.IsAuthenticated]}
def get(self, request, format=None):
posts = Post.objects.all()
serializer = PostSerializer(posts, many=True)
return Response(serializer.data, status=status.HTTP_200_OK)
def post(self, request, format=None):
serializer = PostCreationSerializer(data=request.data)
if serializer.is_valid():
obj = serializer.save()
data = serializer.data
data["id"] = obj.id
return Response(data, status=status.HTTP_201_CREATED)
return Response(status=status.HTTP_400_BAD_REQUEST)