Django的REST框架 - 可浏览API删除删除
问题描述:
我有以下看法:Django的REST框架 - 可浏览API删除删除
def retrieve(self, request, pk=None, **kwargs):
try:
instance = self.get_object()
self.check_object_permissions(self.request, instance)
serializer = PasswordFolderSerializer(instance, context={'request': request})
return Response(serializer.data)
except Http404:
return Response(status=status.HTTP_404_NOT_FOUND)
当没有登录我会得到一个403,这是很好,不过“删除”按钮仍显示可浏览的API中。我如何摆脱这个?这里是我的权限:
class CanRetrievePasswordFolder(permissions.DjangoObjectPermissions):
def has_permission(self, request, view):
if request.user is None:
return False
else:
return True
def has_object_permission(self, request, view, obj):
access_levels = ['Owner', 'Admin', 'Read']
if get_permission_level(request, obj) is None:
return False
else:
level = AccessLevel.objects.get(pk=get_permission_level(request, obj).level_id).name
if request.method in permissions.SAFE_METHODS:
return True
else:
for access in access_levels:
if level == access:
return True
else:
return False
答
很愚蠢,我不得不IsAuthenticated添加到我的权限在视图元组,像这样:
permission_classes_by_action = {'create': [CanCreatePasswordFolder, IsAuthenticated],
'list': [CanListPasswordFolder, IsAuthenticated],
'retrieve': [CanRetrievePasswordFolder, IsAuthenticated],
'partial_update': [CanUpdatePasswordFolder, IsAuthenticated],
'update': [CanUpdatePasswordFolder, IsAuthenticated],
'destroy': [CanDestroyPasswordFolder, IsAuthenticated]}