2

我正在使用 Django Rest Framework 编写应用程序。

我创建了一个自定义权限。我为message自定义权限提供了一个属性,但仍返回默认详细信息。

让我给你我的代码。

permissions.py

from annoying.functions import get_object_or_None
from rest_framework import permissions

from intquestions.models import IntQuestion

from ..models import Candidate, CandidatePickedIntChoice

CANDIDATE_ALREADY_ANSWERED = "This candidate already answered all questions."


class CandidateAnsweredQuestionsPermission(permissions.BasePermission):
    """
    Permission to check if the candidate has answered all questions.
    Expects candidate's email or UUID in the request's body.
    """
    message = CANDIDATE_ALREADY_ANSWERED

    def has_permission(self, request, view):
        candidate = None
        email = request.data.get("email", None)
        if email:
            candidate = get_object_or_None(Candidate, email=email)
        else:
            uuid = request.data.get("candidate", None)
            if uuid:
                candidate = get_object_or_None(Candidate, uuid=uuid)

        if candidate:
            picked_choices = CandidatePickedIntChoice.objects.filter(
                candidate=candidate
            ).count()
            total_int_questions = IntQuestion.objects.count()

            if picked_choices >= total_int_questions:
                return False

        return True

views.py

from annoying.functions import get_object_or_None
from rest_framework import generics, status
from rest_framework.response import Response

from ..models import Candidate, CandidatePickedIntChoice
from .permissions import CandidateAnsweredQuestionsPermission
from .serializers import CandidateSerializer


class CandidateCreateAPIView(generics.CreateAPIView):
    serializer_class = CandidateSerializer
    queryset = Candidate.objects.all()
    permission_classes = (CandidateAnsweredQuestionsPermission,)

    def create(self, request, *args, **kwargs):
        candidate = get_object_or_None(Candidate, email=request.data.get("email", None))
        if not candidate:
            serializer = self.get_serializer(data=request.data)
            serializer.is_valid(raise_exception=True)
            self.perform_create(serializer)
            headers = self.get_success_headers(serializer.data)
            return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
        else:
            serializer = self.get_serializer(candidate, data=request.data)
            serializer.is_valid(raise_exception=True)
            return Response(serializer.data, status=status.HTTP_200_OK)

注意:我正在构建的应用程序可以让候选人回答问题。我之所以像这样重写 create 函数,是为了让尚未完成所有问题的候选人仍然能够回答所有问题。

为什么权限消息是默认的"Authentication credentials were not provided."而不是我自己的?

4

4 回答 4

5

消息Authentication credentials were not provided.说,您没有提供凭据。它不同于凭据是错误消息

接下来的事情是,该类没有属性message,因此除非您强制,否则BasePermission它不会使用您的属性。message( Source Code )

如何显示自定义PermissionDenied消息?从方法 ove viewset引发
的异常,( Source Code) 所以你的视图应该是这样的,PermissionDeniedpermission_denied()

from rest_framework import exceptions


class CandidateCreateAPIView(generics.CreateAPIView):
    # your code
    def permission_denied(self, request, message=None):
        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated()
        raise exceptions.PermissionDenied(detail=CANDIDATE_ALREADY_ANSWERED)
于 2018-10-29T05:06:10.713 回答
4

根据 Tom Christie(DRF 的作者):

PermissionDenied如果您不想允许“未经身份验证与权限被拒绝”检查运行,我建议明确提出。

他没有继续明确提及最佳地点在哪里。接受的答案似乎在视图中做到了。但是,恕我直言,我觉得最好的地方是自定义Permission类本身,因为视图可能具有多个权限,其中任何一个都可能失败。

所以这是我的看法(为简洁起见,代码被截断):

from rest_framework import exceptions, permissions     # <-- import exceptions

CANDIDATE_ALREADY_ANSWERED = "This candidate already answered all questions."


class CandidateAnsweredQuestionsPermission(permissions.BasePermission):
    message = CANDIDATE_ALREADY_ANSWERED

    def has_permission(self, request, view):
        if picked_choices >= total_int_questions:
            raise exceptions.PermissionDenied(detail=CANDIDATE_ALREADY_ANSWERED)     # <-- raise PermissionDenied here

        return True
于 2020-11-14T07:53:37.570 回答
2

我也遇到了同样的问题,终于找到了关键点:

不要使用任何身份验证

REST_FRAMEWORK = {
    # other settings...
    'DEFAULT_AUTHENTICATION_CLASSES': [],
    'DEFAULT_PERMISSION_CLASSES': [],
}
于 2019-12-12T10:15:14.237 回答
0

我遇到了同样的问题,我找到了解决方案,您甚至不需要 AllowAny Permission,只需将其设置authentication_classes为空数组,例如:

class TestView(generics.RetrieveAPIView):
        
    renderer_classes = (JSONRenderer,)
    permission_classes = (isSomethingElse,)
    serializer_class = ProductSerializer
    authentication_classes = [] # You still need to declare it even it is empty
    
    
    def retrieve(self, request, *args, **kwargs):
        pass

希望它仍然有帮助。

于 2020-07-24T06:09:10.263 回答