只有对象的所有者可以删除吗?

问题描述 投票:0回答:1

我的项目是一个博客REST API,用户可以在其中发布文章。我将权限定制为仅作者所有者可以编辑,但任何用户都可以删除一篇文章。

views.py

class ArticleViewSet(viewsets.ModelViewSet):
serializer_class = ArticleSerializer
queryset = Article.objects.all()

def get_permissions(self):
    if self.action in ['update', 'partial_update', 'delete']:
        self.permission_classes = [IsOwnerOrReadOnly]
    return [permission() for permission in self.permission_classes]

def get_serializer_class(self):
    if self.action == 'create':
        return CreateArticleSerializer
    return ArticleSerializer

model.py

class Article(models.Model):
author = models.ForeignKey(User, on_delete=models.CASCADE)
slug = models.SlugField(db_index=True, unique=True, max_length=255)
title = models.CharField(max_length=255)
subtitle = models.CharField(blank=True, max_length=400)
body = RichTextUploadingField()
image = models.ImageField(upload_to='featured_image', blank=True)

def __str__(self):
    return self.title

permissions.py

class IsOwnerOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
    if request.method in permissions.SAFE_METHODS:
        return True
    return obj.author == request.user
django django-rest-framework
1个回答
0
投票

将您的get_permissions(...)方法更改为,

from rest_framework.permissions import IsAuthenticated


class ArticleViewSet(viewsets.ModelViewSet):
    # your code
    def get_permissions(self):
        if self.action in ['update', 'partial_update']:
            self.permission_classes = [IsOwnerOrReadOnly]
        elif self.action == 'delete':
            self.permission_classes = [IsAuthenticated]
        return [permission() for permission in self.permission_classes]
© www.soinside.com 2019 - 2024. All rights reserved.