我有以下观点:
def retrieve(self, request, pk=None, **kwargs):
try:
instance = self.get_object()
self.check_object_permissions(self.request, instance)
serializer = PasswordFolderSerializer(instance, context={'request': request})
return Response(serializer.data)
except Http404:
return Response(status=status.HTTP_404_NOT_FOUND)
当没有登录时,我会得到一个403,这是好的,但是" DELETE"按钮仍显示在可浏览的API中。我怎么摆脱这个?这是我的许可:
class CanRetrievePasswordFolder(permissions.DjangoObjectPermissions):
def has_permission(self, request, view):
if request.user is None:
return False
else:
return True
def has_object_permission(self, request, view, obj):
access_levels = ['Owner', 'Admin', 'Read']
if get_permission_level(request, obj) is None:
return False
else:
level = AccessLevel.objects.get(pk=get_permission_level(request, obj).level_id).name
if request.method in permissions.SAFE_METHODS:
return True
else:
for access in access_levels:
if level == access:
return True
else:
return False
答案 0 :(得分:0)
非常愚蠢,我不得不在视图上添加IsAuthenticated到我的权限元组,如下所示:
permission_classes_by_action = {'create': [CanCreatePasswordFolder, IsAuthenticated],
'list': [CanListPasswordFolder, IsAuthenticated],
'retrieve': [CanRetrievePasswordFolder, IsAuthenticated],
'partial_update': [CanUpdatePasswordFolder, IsAuthenticated],
'update': [CanUpdatePasswordFolder, IsAuthenticated],
'destroy': [CanDestroyPasswordFolder, IsAuthenticated]}