我将ListView集权限设置为IsAuthenticated,但是当我在Incognito窗口中点击URL时.我能够查看数据.虽然当我将权限设置为IsAdmin时,它通过向我显示错误来完美地工作.这是我的序列化器
class BlogListSerializer(ModelSerializer):
url = HyperlinkedIdentityField(
view_name="blog_api:post_detail",
lookup_field="slug"
)
class Meta:
model = Blog
fields = [
'url',
'title',
'category',
'date',
'publish',
'draft'
]
以下是我的观点
from rest_framework.permissions import IsAuthenticated
class BlogListAPIView(ListAPIView):
queryset = Blog.objects.filter(publish=True, draft=False)
serializer_class = BlogListSerializer
permission_classes = [IsAuthenticated]
设置文件
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}
中间件设置
MIDDLEWARE_CLASSES = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
当我尝试通过在BlogListAPIView上调用get_object来访问用户时,它会抛出错误,而不是JSON可序列化.出于某种原因,中间件将AnonymousUser作为用户.如果有AnonymousUser登录,则会失败IsAuthenticated权限.这就是发生的事情(我猜).但是我无法注销AnonymousUser.为什么要访问AnonymousUser以及如何将他注销?