使用Django REST框架,我使用此视图和权限只允许项目所有者获取他们的项目.
view.py
class ProjectViewSet(viewsets.ModelViewSet): permission_classes = ( IsProjectOwner,permissions.IsAuthenticated,) def get_queryset(self): return Project.objects.filter(owner=self.request.user)
permissions.py
class IsProjectOwner(permissions.BasePermission): def has_object_permission(self,request,view,obj): return obj.owner == request.user
当用户试图获得不属于他的项目时,会出现HTTP 404.但是,我想获得HTTP 403_Forbidden.这是我使用的测试
def test_auth_get(self): self.client.credentials( HTTP_AUTHORIZATION=self.authenticated_user_token ) response = self.client.get( '/-/projects/%s/' % self.project_owner_project_id ) self.assertEqual(response.status_code,status.HTTP_403_FORBIDDEN)
我尝试使用像REST文档http://www.django-rest-framework.org/api-guide/permissions/#object-level-permissions中的get_object()方法来解决问题.但我不知道如何在知道实际对象之前检查权限.