Django REST框架:有关对象级权限的帮助

时间:2013-01-12 12:06:48

标签: django django-rest-framework

遵循本教程:

http://django-rest-framework.org/tutorial/1-serialization.html

通过http://django-rest-framework.org/tutorial/4-authentication-and-permissions.html

我有这段代码:

# models.py
class Message(BaseDate):
    """
    Private Message Model
    Handles private messages between users
    """
    status = models.SmallIntegerField(_('status'), choices=choicify(MESSAGE_STATUS))
    from_user = models.ForeignKey(User, verbose_name=_('from'), related_name='messages_sent')
    to_user = models.ForeignKey(User, verbose_name=_('to'), related_name='messages_received')
    text = models.TextField(_('text'))
    viewed_on = models.DateTimeField(_('viewed on'), blank=True, null=True)


# serialisers.py
class MessageSerializer(serializers.ModelSerializer):
    from_user = serializers.Field(source='from_user.username')
    to_user = serializers.Field(source='to_user.username')

    class Meta:
        model = Message
        fields = ('id', 'status', 'from_user', 'to_user', 'text', 'viewed_on')


# views.py
from permissions import IsOwner

class MessageDetail(generics.RetrieveUpdateDestroyAPIView):
    model = Message
    serializer_class = MessageSerializer
    authentication_classes = (TokenAuthentication, SessionAuthentication)
    permission_classes = (permissions.IsAuthenticated, IsOwner)


# permissions.py
class IsOwner(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit or delete it.
    """

    def has_permission(self, request, view, obj=None):
        # Write permissions are only allowed to the owner of the snippet
        return obj.from_user == request.user


# urls.py
urlpatterns = patterns('',
    url(r'^messages/(?P<pk>[0-9]+)/$', MessageDetail.as_view(), name='api_message_detail'),
)

然后打开API的URL我收到此错误:

**AttributeError at /api/v1/messages/1/
'NoneType' object has no attribute 'from_user'**

Traceback:
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/core/handlers/base.py" in get_response
  111.                         response = callback(request, *callback_args, **callback_kwargs)
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/views/generic/base.py" in view
  48.             return self.dispatch(request, *args, **kwargs)
File "/var/www/sharigo/python/lib/python2.6/site-packages/django/views/decorators/csrf.py" in wrapped_view
  77.         return view_func(*args, **kwargs)
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in dispatch
  363.             response = self.handle_exception(exc)
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in dispatch
  351.             self.initial(request, *args, **kwargs)
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in initial
  287.         if not self.has_permission(request):
File "/var/www/sharigo/python/lib/python2.6/site-packages/rest_framework/views.py" in has_permission
  254.             if not permission.has_permission(request, self, obj):
File "/var/www/sharigo/sharigo/apps/sociable/permissions.py" in has_permission
  17.         return obj.from_user == request.user

Exception Type: AttributeError at /api/v1/messages/1/
Exception Value: 'NoneType' object has no attribute 'from_user'

似乎将None作为参数“obj”的值传递给isOwner.has_permission()。 我究竟做错了什么?我想我严格遵循了教程。

2 个答案:

答案 0 :(得分:9)

当使用has_permission()调用obj=None时,它应该返回用户是否有权此类型的任何对象。所以你应该在没有通过时处理这个案例。

您的代码应该是:

def has_permission(self, request, view, obj=None):
    # Write permissions are only allowed to the owner of the snippet
    return obj is None or obj.from_user == request.user

答案 1 :(得分:9)

使用函数has_object_permission代替has_permission

前:

def has_object_permission(self, request, view, obj=None):
    return obj.from_user == request.user

并在视图中的get_object内调用函数check_object_permissions

def get_object(self):
    obj = get_object_or_404(self.get_queryset())
    self.check_object_permissions(self.request, obj)
    return obj