我的项目是一个博客REST API,用户可以在其中发布文章。我将权限定制为仅作者所有者可以编辑,但任何用户都可以删除一篇文章。
views.py
class ArticleViewSet(viewsets.ModelViewSet):
serializer_class = ArticleSerializer
queryset = Article.objects.all()
def get_permissions(self):
if self.action in ['update', 'partial_update', 'delete']:
self.permission_classes = [IsOwnerOrReadOnly]
return [permission() for permission in self.permission_classes]
def get_serializer_class(self):
if self.action == 'create':
return CreateArticleSerializer
return ArticleSerializer
model.py
class Article(models.Model):
author = models.ForeignKey(User, on_delete=models.CASCADE)
slug = models.SlugField(db_index=True, unique=True, max_length=255)
title = models.CharField(max_length=255)
subtitle = models.CharField(blank=True, max_length=400)
body = RichTextUploadingField()
image = models.ImageField(upload_to='featured_image', blank=True)
def __str__(self):
return self.title
permissions.py
class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
return obj.author == request.user
将您的get_permissions(...)
方法更改为,
from rest_framework.permissions import IsAuthenticated
class ArticleViewSet(viewsets.ModelViewSet):
# your code
def get_permissions(self):
if self.action in ['update', 'partial_update']:
self.permission_classes = [IsOwnerOrReadOnly]
elif self.action == 'delete':
self.permission_classes = [IsAuthenticated]
return [permission() for permission in self.permission_classes]