根据DRF问题跟踪器上的
此问题,最好的方法似乎是创建一个自定义权限类。视图对象具有一个
action
属性,可用于根据ViewSet的每个子操作变化响应内容。
class IsCreationOrIsAuthenticated(permissions.BasePermission):
def has_permission(self, request, view):
if not request.user.is_authenticated():
if view.action == 'create':
return True
else:
return False
else:
return True
或者更详细的内容请参考AssembledAdam
(根据SO政策,代码已在此处复制以防链接失效或被更改。)
class AnonCreateAndUpdateOwnerOnly(permissions.BasePermission):
"""
Custom permission:
- allow anonymous POST
- allow authenticated GET and PUT on *own* record
- allow all actions for staff
"""
def has_permission(self, request, view):
return view.action == 'create' or request.user and request.user.is_authenticated
def has_object_permission(self, request, view, obj):
return view.action in ['retrieve', 'update', 'partial_update'] and obj.id == request.user.id or request.user.is_staff
class ListAdminOnly(permissions.BasePermission):
"""
Custom permission to only allow access to lists for admins
"""
def has_permission(self, request, view):
return view.action != 'list' or request.user and request.user.is_staff