Question

学生不能使用不安全的方法。我尝试测试它，但失败了AssertionError: 201 != 403，而post方法被禁止。我的函数只在一个特定的情况下获得权限，我无法理解为什么（在代码中强调）权限：

class IsTeacherOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        print (request.method)
        print (request.user)
        if request.method in permissions.SAFE_METHODS:
            return True
        print(request.user.staff)
        return request.user.staff == 'T'

设置：

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
    # 'rest_framework.authentication.BasicAuthentication',
    # 'rest_framework.authentication.SessionAuthentication',
    'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
    'core.permissions.IsTeacherOrReadOnly',
    'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_FILTER_BACKENDS': (
    'django_filters.rest_framework.DjangoFilterBackend',
),
'TEST_REQUEST_DEFAULT_FORMAT': 'json'

}

测试（我不确定究竟什么是有用的，所以我将编写整个函数）：

def test_student_API(self):
    factory = APIRequestFactory()
    User(username='student1', password='qwert1234', staff="S").save()
    student = User.objects.get(username='student1')

    Token.objects.create(user=student)

    self.student_list_api(factory, student)
    self.student_detail_api(factory, student)

def student_list_api(self, factory, student):
    class_time_list = ClassTimeViewSet.as_view({'get': 'list'})
    self._student_list_api_request(factory, student, class_time_list, 'api/v0/classtimes', 8)


def _student_list_api_request(self, factory, student, class_time_list,
                              url, resp_len):
    student_request = factory.get(url)
    response_unauthenticated = class_time_list(student_request)
    self.assertEqual(response_unauthenticated.status_code,
                     status.HTTP_401_UNAUTHORIZED)
    force_authenticate(student_request, student, token=student.auth_token)
    response = class_time_list(student_request)
    self.assertEqual(response.status_code, status.HTTP_200_OK)
    self.assertEqual(len(response.data), resp_len)

def student_detail_api(self, factory, student):
    class_time_detail = ClassTimeViewSet.as_view({'get': 'retrieve'})
    student_request = factory.get('api/v0/classtimes')
    response_unauthenticated = class_time_detail(student_request, pk=1)
    self.assertEqual(response_unauthenticated.status_code, status.HTTP_401_UNAUTHORIZED)
    force_authenticate(student_request, student, student.auth_token)

    print('--------------')
    print('Only in this case permissions is reached')
    response = class_time_detail(student_request, pk=1)
    print('---------------')

    response.render()
    self.assertEqual(response.status_code, status.HTTP_200_OK)
    self.assertEqual(json.loads(response.content), {
        "id": 1,
        "lesson_start": "08:30:00",
        "lesson_end": "09:15:00"
    })
    class_time_detail = ClassTimeViewSet.as_view({'post':'create'})

    student_request = factory.post('api/v0/classtimes',{'lesson_start':'20:00:00','lesson_end':'20:45:00'},format='json')
    force_authenticate(student_request,student,student.auth_token)
    response = class_time_detail(student_request)
    response.render()
    self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)

输出：

Creating test database for alias 'default'...
System check identified no issues (0 silenced).
----
Only in this case permissions is reached
GET
student1
---

Failure
Traceback (most recent call last):
  File "D:\PyProjects\DjangoReact\classtime\tests.py", line 33, in test_student_API
    self.student_detail_api(factory, student)
  File "D:\PyProjects\DjangoReact\classtime\tests.py", line 83, in student_detail_api
    self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
AssertionError: 201 != 403

Destroying test database for alias 'default'...

Answer 1

原因是压倒了错误的功能。我应该被覆盖： “def has_permission（self，request，view）”不是 “def has_object_permission（self，request，view，obj）

在测试中无法达到DRF权限

1 个答案: