我有以下视图:
class ActivityViewSet(viewsets.ModelViewSet):
queryset = Activity.objects.all()
serializer_class = ActivitySerializer
def get_permissions(self):
if self.action in ['update','partial_update','destroy','list']:
self.permission_classes = [permissions.IsAdminUser,]
elif self.action in ['create']:
self.permission_classes = [permissions.IsAuthenticated,]
else :
self.permission_classes = [permissions.AllowAny,]
return super(self.__class__, self).get_permissions()
如图所示,对于Authenticated用户(不是管理员),我试图允许“创建”方法而不允许“列表”。奇怪的是,此Viewset不会为Authenticated用户创建任何创建或列表。我检查过,只是为了剔除,下面的代码:
class RouteOrderingDetail(mixins.CreateModelMixin,
mixins.RetrieveModelMixin,
mixins.DestroyModelMixin,
mixins.UpdateModelMixin,
viewsets.GenericViewSet):
queryset = RouteOrdering.objects.all()
serializer_class = RouteOrderingSerializer
这确实允许一个视图,其中有创建但不是列表(但它不适用于我,因为我确实需要列表选项可用。
希望问题很清楚。任何帮助将不胜感激。
也许你可以试试这个:
class NotCreateAndIsAdminUser(permissions.IsAdminUser):
def has_permission(self, request, view):
return (view.action in ['update', 'partial_update', 'destroy', 'list']
and super(NotCreateAndIsAdminUser, self).has_permission(request, view))
class CreateAndIsAuthenticated(permissions.IsAuthenticated):
def has_permission(self, request, view):
return (view.action == 'create'
and super(CreateAndIsAuthenticated, self).has_permission(request, view))
class NotSafeMethodAndAllowAny(permissions.AllowAny)
def has_permission(self, request, view):
return (view.action is not in ['update', 'partial_update', 'destroy', 'list', 'create']
and super(NotSafeMethodAndAllowAny, self).has_permission(request, view))
class ActivityViewSet(viewsets.ModelViewSet):
queryset = Activity.objects.all()
serializer_class = ActivitySerializer
permission_classes = (NotCreateAndIsAdminUser, CreateAndIsAuthenticated, NotSafeMethodAndAllowAny)
def create(self, request):
pass
def list(self, request):
pass
....
参考:Allow separate permissions per View in ViewSet
此外,您可能想要查看与您的问题非常相似的问题:Separate permissions per methods
要么
你可以这样做:
class ActivityViewSet(viewsets.ModelViewSet):
queryset = Activity.objects.all()
serializer_class = ActivitySerializer
def get_permissions(self):
if self.action in ['update', 'partial_update', 'destroy', 'list']:
# which is permissions.IsAdminUser
return request.user and request.user.is_staff
elif self.action in ['create']:
# which is permissions.IsAuthenticated
return request.user and is_authenticated(request.user)
else :
# which is permissions.AllowAny
return True
我意识到这已经得到了回答,但是想要分享我的实现,以防它更适合OPS用例或其他人的:
from rest_framework.authentication import TokenAuthentication, SessionAuthentication
from rest_framework.permissions import IsAuthenticated, AllowAny
from rest_framework.viewsets import ReadOnlyModelViewSet
from ..models import MyModel
from .serializers import MyModelSerializer
class ActionBasedPermission(AllowAny):
"""
Grant or deny access to a view, based on a mapping in view.action_permissions
"""
def has_permission(self, request, view):
for klass, actions in getattr(view, 'action_permissions', {}).items():
if view.action in actions:
return klass().has_permission(request, view)
return False
class MyModelViewSet(ReadOnlyModelViewSet):
serializer_class = MyModelSerializer
queryset = MyModel.objects.all()
permission_classes = (ActionBasedPermission,)
action_permissions = {
IsAuthenticated: ['update', 'partial_update', 'destroy', 'list', 'create'],
AllowAny: ['retrieve']
}
authentication_classes = (TokenAuthentication, SessionAuthentication)
希望这有帮助的人:)