Django REST 权限类不能在 OR 内一起工作，而是按预期独立工作

如何解决Django REST 权限类不能在 OR 内一起工作，而是按预期独立工作

我在使用 OR 运算符将两个权限放在一起时遇到了麻烦。文档说： Doc

如果它们继承自 rest_framework.permissions.BasePermission，则可以使用标准 Python 按位运算符组合权限。例如， IsAuthenticatedOrReadOnly 可以写成： ... permission_classes = [IsAuthenticated|ReadOnly]

所以我创建了权限： permissions.py

class IsFullUserOrReadOnly(permissions.BasePermission):
    """
    This class defines the permission to only allow the request to certain users with a
    certain role."""
    def has_permission(self,request,view):
        """
        This function overrides the default has_permission method to allow the writing methods
        only to full users or admin users
        """

        if request.method in permissions.SAFE_METHODS:
            return True

        is_full_user = False


        queryset = User.objects.get(email=request.user)
        if queryset:
            user = UserSerializer(queryset)
            if 'roles' in user.data:
                for role in user.data['roles']:
                    if role == ADMIN or role == FULL_USER:
                        is_full_user = True

        print('IsFullUserOrReadOnly')
        print(is_full_user)
        print(request.method)
        print(request.method =='POST')
        return is_full_user or request.method =='POST'

class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    This class defines the permission to only allow the POST and PUT methods to the creator of
    the item."""
    def has_object_permission(self,view,obj):
        """
        This function overrides the default has_object_permission method to allow the writing
        methods to the owner of the object
        """
        if request.method in permissions.SAFE_METHODS:
            return True

        # Instance must have an attribute named `created_by`.
        print('IsOwnerOrReadOnly')
        print(obj.created_by == request.user)

        return obj.created_by == request.user

然后我将它们添加到我的视图中： view.py

class ItemViewset(viewsets.ModelViewSet): # pylint: disable=too-many-ancestors
    """API Endpoint to return the list of items"""
    queryset = Item.objects.all()
    serializer_class = ItemSerializer
    # permission_classes = (IsAuthenticated,IsFullUserOrReadOnly,)
    permission_classes = [IsAuthenticated,IsFullUserOrReadOnly|IsOwnerOrReadOnly,]
    # permission_classes = [IsAuthenticated,IsOwnerOrReadOnly]

这两条带注释的行在 permission_classes 中按预期工作，但是当我尝试将它们一起使用时，这意味着，作为非安全方法的完整用户或所有者，它始终允许一切。看起来没有条件了。

我不知道我是否遗漏了什么，但据我所知，这应该可行。我错过了什么吗？

解决方法

    def has_object_permission(self,request,view,obj):
        """ 
        This function overrides the default has_object_permission to prevent the bug documented in:
        https://github.com/encode/django-rest-framework/issues/7117
        """

        return self.has_permission(request,view)

    permission_classes = (IsAuthenticated,IsOwnerOrReadOnly|IsFullUserOrReadOnly,)

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。