我能够将django-guardian我的django-rest-framework项目设置为drf docs 中的示例,但我未能实现我想要的行为。有人可以指出我做错了什么或者我想要的东西无法完成guardian吗?
设置
设置.py
INSTALLED_APPS = (
...
'guardian',
'simple',
)
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'guardian.backends.ObjectPermissionBackend',
)
'DEFAULT_PERMISSION_CLASSES': (
'infrastructure.permissions.DjangoObjectPermissions',
)
基础设施.permissions.py
from rest_framework import permissions
class DjangoObjectPermissions(permissions.DjangoObjectPermissions):
"""
Similar to `DjangoObjectPermissions`, but adding 'view' permissions.
"""
perms_map = {
'GET': ['%(app_label)s.view_%(model_name)s'],
'OPTIONS': ['%(app_label)s.view_%(model_name)s'],
'HEAD': ['%(app_label)s.view_%(model_name)s'],
'POST': ['%(app_label)s.add_%(model_name)s'],
'PUT': ['%(app_label)s.change_%(model_name)s'],
'PATCH': ['%(app_label)s.change_%(model_name)s'],
'DELETE': ['%(app_label)s.delete_%(model_name)s'],
}
模型.py
class Event(models.Model):
name = models.CharField(max_length=255)
min_age = models.IntegerField()
def __str__(self):
return self.name
class Meta:
permissions = (('view_event', 'Can view event'),)
视图.py
class EventViewSet(viewsets.ModelViewSet):
queryset = models.Event.objects.all()
serializer_class = serializers.EventSerializer
filter_backends = (filters.DjangoObjectPermissionsFilter,)
预期行为
Events返回的列表EventViewSet.list仅包含请求用户可以查看的对象(请求用户具有 django.authview_event权限或('view_event', event_object).EventViewSet.details仅当请求用户具有权限或权限时才返回Event实例。view_event('view_event', event_object)
实际行为
- 如果用户拥有 django auth 权限
view_event和 Guardian 权限('view_event', event_obj),它可以访问路由list(获取所有条目)并details与event_obj. - 如果用户没有 auth 权限
view_event,但有 Guardian 权限,他们会在所有路由(包括与他们有权限的 event_obj 关联('view_event', event_obj)的路由)中收到 403 。details - 如果用户有
view_event但没有('view_event', event_obj),他们可以访问路由(查看所有条目),但无论访问的条目如何list,他们都会在路由中收到 404 。details
谢谢!