使用CreateAPIView检查check_object_permissions

时间:2016-08-29 19:38:32

标签: django django-rest-framework

CommentCreate是CreateAPIView,用于在另一个“报告”模型上发表评论。我需要阻止任何不是报告作者的人,或者不允许发布评论的指定人群中的任何人使用此端点创建评论。

class CommentCreate(generics.CreateAPIView):
    serializer_class = CommentSerializer
    queryset = Comment.objects.none()

    def check_object_permissions(self, request, obj):
        if obj.report.creator != request.user:
            # also check if request.user is in the group of people that can comment
            raise exceptions.PermissionDenied(
                detail='You do not have permission')

我面临的问题是check_object_permissions被调用,但异常没有被捕获到任何地方,所以评论无论如何都会正常发布。我在这里缺少什么?

1 个答案:

答案 0 :(得分:4)

创建check_object_permissions时,不会调用方法Comment

以下是create的完整CreateAPIView代码:

class CreateModelMixin(object):
    """
    Create a model instance.
    """
    def create(self, request, *args, **kwargs):
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        self.perform_create(serializer)
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)

    def perform_create(self, serializer):
        serializer.save()

    def get_success_headers(self, data):
        try:
            return {'Location': data[api_settings.URL_FIELD_NAME]}
        except (TypeError, KeyError):
            return {}

check_object_permissions仅在get_object中调用,只有当您尝试通过API检索对象时,才会调用CommentCreate

要在perform_create中进行权限检查,您应该覆盖其中的class CommentCreate(generics.CreateAPIView): serializer_class = CommentSerializer queryset = Comment.objects.none() def perform_create(self, serializer): # untested if... if serializer.validated_data['report'].creator != self.request.user: raise exceptions.PermissionDenied( detail='You do not have permission') serializer.save() 方法并进行检查:

{{1}}