我在django-rest处是新的,所以我试图为员工创建只获取或放置其信息的权限,我使用了has_object_permission,但我仍然可以访问所有其他用户
permissions.py:
class IsHRadmin(BasePermission):
message = 'You are not allowed'
def has_permission(self,request,view):
methods = ['GET','POST','PUT','DELETE']
req = request.user
user = Role_User.objects.get(user_id_id=req.id)
role ="HR_Admin"
if str(user.role_id)==role:
print("Hello World")
if request.method in methods:
return True
return False
class IsEmployee(BasePermission):
message = 'You are not allowed'
def has_object_permission(self,request,view,obj):
methods = ['GET','PUT']
if request.method in methods:
if obj.owner == request.user:
return True
return False
views.py:
class EmployeeDetail(mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
mixins.DestroyModelMixin,
generics.GenericAPIView):
lookup_field = 'pk'
serializer_class = EmployeeSerializer
auth1 = IsAuthenticated & IsEmployee
auth2 = IsAuthenticated & IsHRadmin
permission_classes = [auth1 | auth2 | IsAdminUser]
def get_queryset(self):
return employee.objects.filter(pk=self.kwargs['pk'])
def get(self, request, *args, **kwargs):
response = self.retrieve(request, *args, **kwargs)
return response
def put(self, request, *args, **kwargs):
return self.update(request, *args, **kwargs)
def delete(self, request, *args, **kwargs):
return self.destroy(request, *args, **kwargs)
答案 0 :(得分:1)
问题是IsHRadmin定义了视图级权限检查has_permission,而不是对象级权限检查has_object_permission。现在。默认情况下,has_object_permission返回True,因此尽管其他权限允许用户访问视图,但是IsHRadmin允许他访问对象,即使他不应该也是如此。因此,您应该在IsHRadmin
def has_object_permission(self,request,view, obj):
return self.has_permission(request, view)