问题标签 [django-rest-framework-permissions]

For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.

0 投票
5 回答
31244 浏览

python - Django REST framework object level permissions

I am using Django REST Framework to access a resource 'user'.

As user information is personal, I do not want a GET request to list every user on the system, UNLESS they are an admin.

If the user specifies their id, and they are logged in, I would like them to be able to view their details and amend them (PUT POST DELETE) if required.

So in summary, dis-allow GET method for anyone who isn't an admin and allow GET POST DELETE PUT on logged-in users when viewing their information.

I created the custom permission class:

This didn't work. After some debugging I found that it checks has_permission first, THEN checks has_object_permission. So if we don't get past that first hurdle GET /user/, then it won't even consider the next GET /user/id.

How I would go about getting this to work?

I was using ModelViewSets.

But if you split the List functionality with the Detail then you can give them separate permission classes:

0 投票
3 回答
15785 浏览

django - has_object_permission 和 has_permission 有什么区别?

我对BasePermissionDjango-rest-framework 中的内容感到困惑。

这里我定义了一个类:IsAuthenticatedAndOwner.

使用在views.py

但它根本不起作用。每个人都可以通过权限并更新数据。

called没有打印出来。


我曾经定义过这个类:IsNotAuthenticated

它在功能中运行良好

has_object_permission那么,上面的例子和函数&有什么区别has_permission呢?

0 投票
1 回答
96 浏览

python - 带有 Django Rest Framework 的 Python 请求 - “详细信息”:“未提供身份验证凭据”

我有一个小函数,它只是看起来从我的 DRF API 端点获得响应。

我的 DRF 设置如下所示:

我正在使用它来尝试达到终点:

我不断得到'detail': 'Authentication credentials were not provided'

我是否需要生成 CSRF 令牌并将其包含在 GET 请求中?唯一一次被击中是当用户进入需要他们登录的视图时。有没有办法将该登录用户传递到端点?