DRF Viewset remove permission for detail route

瘦欲@ 提交于 2020-12-30 08:28:23

问题


I have a basic Viewset:

class UsersViewSet(viewsets.ModelViewSet):
    permission_classes = (OnlyStaff,)
    queryset = User.objects.all()
    serializer_class = UserSerializer

It is bind to the /api/users/ endpoint. I want to create a user profile page, so I need only a particular user, so I can retrieve it from /api/users/<id>/, but the problem is that I want /api/users/<id>/ to be allowed to anyone, but /api/users/ to keep its permission OnlyStaff, so no one can have access to the full list of users.

Note: Perhaps it's not such a good implementation, since anyone could brute force the data incremeting the id, but I'm willing to change it from <id> to <slug>.

How can I delete the permission from detail route?

Thanks in advance.


回答1:


Override the get_permissions() method as below

from rest_framework.permissions import AllowAny


class UsersViewSet(viewsets.ModelViewSet):
    permission_classes = (OnlyStaff,)
    queryset = User.objects.all()
    serializer_class = UserSerializer

    def get_permissions(self):
        if self.action == 'retrieve':
            return [AllowAny(), ]        
        return super(UsersViewSet, self).get_permissions()



回答2:


It would help if you posted the permission class.

But going off what you posted, it appears that only staff users can have access to the endpoints bound to that viewset. Meaning no other user type/role can access those endpoints.

Going off your question, it seems like you want to setup a IsOwnerOrStaffOrReadOnly permission and over ride the list route function of the ModelViewSet and replace permission_classes and then call super

class UsersViewSet(viewsets.ModelViewSet):
    permission_classes = (IsOwnerOrStaffOrReadOnly,)
    queryset = User.objects.all()
    serializer_class = UserSerializer

def list(self, request, *arg, **kwargs):
   self.permission_classes = (OnlyStaffCanReadList,)
   super(UsersViewSet, self).list(request, *args, **kwargs)  // python3 super().list(request, *args, **kwargs)

is Owner object permission class

class IsOwnerOrStaffOrReadOnly(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        if request.user.role == 'staff': 
           return True
        # Instance must have an attribute named `owner`.
        return obj.owner == request.user

only staff can read permission class

class OnlyStaffCanReadList(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.user.role == 'Staff': 
           return True
        else:
           return False

as provided in the comments, your user model must have the owner role. if you are using the django user model you can just do a obj.id == request.user.id comparison



来源:https://stackoverflow.com/questions/52543849/drf-viewset-remove-permission-for-detail-route

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!