{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 放我归山 的问题《Django rest framework ignores has_object_permissio》','https://www.manongdao.com/q-766686.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to limit the access to objects for users. Only creaters should modify objects. For that purpose like they say in tutorial I've written
class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return False
and added it to permission_classes. But still any user can modify any object. If I add method
def has_permission(self, request, view):
return False
nobody can do anything. So all behaviour is controlled by the only has_permission method that doesn't provide any way to handle per object permissions. So am I doing something wrong? Here's the code of request handler
class ProblemsHandler(APIView):
permission_classes = (
IsOwnerOrReadOnly,
permissions.IsAuthenticatedOrReadOnly,
)
def pre_save(self, request, problem):
problem.author = request.user
def get_object(self, request, pk, format):
try:
problem = ProblemsModel.objects.get(pk=pk)
serializer = ProblemsSerializer(problem)
return Response(serializer.data, status=HTTP_200_OK)
except ProblemsModel.DoesNotExist:
raise Http404
def get_list(self, request, format):
problems = ProblemsModel.objects.all()
serializer = ProblemsSerializer(problems, many=True)
return Response(serializer.data, status=HTTP_200_OK)
def get(self, request, pk=None, format=None):
if pk:
return self.get_object(request, pk, format)
else:
return self.get_list(request, format)
def post(self, request, format=None):
serializer = ProblemsSerializer(data=request.DATA)
if serializer.is_valid():
self.pre_save(request, serializer.object)
serializer.save()
return Response(serializer.data, status=HTTP_201_CREATED)
else:
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
def put(self, request, pk, format=None):
try:
problem = ProblemsModel.objects.get(pk=pk)
serializer = ProblemsSerializer(problem, data=request.DATA)
if serializer.is_valid():
self.pre_save(request, serializer.object)
serializer.save()
return Response(serializer.data, status=HTTP_200_OK)
else:
return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)
except ProblemsModel.DoesNotExist:
raise Http404
def delete(self, request, pk, format=None):
try:
problem = ProblemsModel.objects.get(pk=pk)
problem.delete()
return Response(status=HTTP_204_NO_CONTENT)
except ProblemsModel.DoesNotExist:
raise Http404
the permission-checks for objects are done by DRF in the method
APIView.check_object_permissions.Since you don't use the
GenericAPIView, you define your ownget_objectmethod and you have to callcheck_object_permissionsyourself. Since you are mis-using get_object a bit, you have to check for GET (single), PUT and DELETEPerhaps have a better look at the DRF Generic Views, since your use-case looks much like them. Normally
get_objectshould only return an object and check the permissions.