现在的情况是:可以获取任何一个用户的收藏记录
也可以删除任何一个收藏记录
因此,需要有权限控制。
https://www.django-rest-framework.org/api-guide/permissions/#allowany
配上 IsAuthenticated
如果用户未登录的情况下,访问,会报401错误:
效果:
https://www.django-rest-framework.org/api-guide/permissions/#examples
新建:
C:\Users\huang\PycharmProjects\MxShop\apps\utils\permissions.py
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Object-level permission to only allow owners of an object to edit it.
Assumes the model instance has an `owner` attribute.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Instance must have an attribute named `owner`.
return obj.user == request.user
# return self.user.name
return self.user.username
输入 admin admin123 提示:
{
"detail": "身份认证信息未提供。"
}
此时:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}
# REST_FRAMEWORK = {
# 'DEFAULT_AUTHENTICATION_CLASSES': []
# }
下面删除一个权限范围内的记录:
204,代表已经删除成功了
现在输入用户名密码,提示:
"detail": "身份认证信息未提供。"
是因为我们的认证模式是:
authentication_classes = (JSONWebTokenAuthentication, )
需要修改:
authentication_classes = (JSONWebTokenAuthentication, SessionAuthentication)