问题标签 [django-rest-framework-permissions]
For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.
python - Django REST framework object level permissions
I am using Django REST Framework to access a resource 'user'.
As user information is personal, I do not want a GET request to list every user on the system, UNLESS they are an admin.
If the user specifies their id, and they are logged in, I would like them to be able to view their details and amend them (PUT POST DELETE) if required.
So in summary, dis-allow GET method for anyone who isn't an admin and allow GET POST DELETE PUT on logged-in users when viewing their information.
I created the custom permission class:
This didn't work. After some debugging I found that it checks has_permission
first, THEN checks has_object_permission
. So if we don't get past that first hurdle GET /user/
, then it won't even consider the next GET /user/id
.
How I would go about getting this to work?
I was using ModelViewSets.
But if you split the List functionality with the Detail then you can give them separate permission classes:
django - has_object_permission 和 has_permission 有什么区别?
我对BasePermission
Django-rest-framework 中的内容感到困惑。
这里我定义了一个类:IsAuthenticatedAndOwner
.
使用在views.py
但它根本不起作用。每个人都可以通过权限并更新数据。
called
没有打印出来。
我曾经定义过这个类:IsNotAuthenticated
它在功能中运行良好
has_object_permission
那么,上面的例子和函数&有什么区别has_permission
呢?
python - 带有 Django Rest Framework 的 Python 请求 - “详细信息”:“未提供身份验证凭据”
我有一个小函数,它只是看起来从我的 DRF API 端点获得响应。
我的 DRF 设置如下所示:
我正在使用它来尝试达到终点:
我不断得到'detail': 'Authentication credentials were not provided'
我是否需要生成 CSRF 令牌并将其包含在 GET 请求中?唯一一次被击中是当用户进入需要他们登录的视图时。有没有办法将该登录用户传递到端点?