https://www.cnblogs.com/aguncn/p/10309559.html
https://stackoverflow.com/a/49626193
https://stackoverflow.com/a/37397107
We have following two permission methods on BasePermission class:
def has_permission(self, request, view)
def has_object_permission(self, request, view, obj)
Those two different methods are called for restricting unauthorized users for data insertion and manipulation.
has_permission is called on all HTTP requests whereas, has_object_permission is called from Django DRF method def get_object(self). Hence, has_object_permission method is available GET, PUT, DELETE, not for POST request.
In summary:
permission_classes are looped over the defined list.
has_object_permission method is called after has_permission method returns value True except in POST method (in POST method has_permission only be executed).
When False value is returned from the permission_classes method, the request gets no permission and will not loop more, otherwise, it checks all permissions on looping.
has_permission method will be called on all (GET, POST, PUT, DELETE) HTTP request.
has_object_permission method will not be called on HTTP POST request, hence we need to restrict it from has_permission method.
Django: 使用 Q 对象构建复杂的查询语句
https://mozillazg.com/2015/11/django-the-power-of-q-objects-and-how-to-use-q-object.html
动态构建查询条件 尚未使用过。注意一下
model 中自定义权限
class Discussion(models.Model):
...
class Meta:
permissions = (
("create_discussion", "Can create a discussion"),
("reply_discussion", "Can reply discussion"),
)
判断用户是否拥有自定义权限:
user.has_perm('blog.create_discussion')
网友评论