python - Django Rest Framework 在 ListAPIView 上使用 DjangoModelPermissions

Question

我正在使用 djangorestframework，我的目标是在我的 View 上使用 DjangoModelPermissions，它对 GET 请求使用react。官方文档说:

The default behavior can also be overridden to support custom model permissions. For example, you might want to include a view model permission for GET requests.

Source

所以我修改了我的模型如下:

class User(AbstractUser):
    display_name = models.CharField(_('Display Name'), blank=True, max_length=255)

    class Meta:
        permissions = (
            ("view_user", "Can view users"),
        )

    def __str__(self):
        return self.username

和 View :

class UserListAPIView(ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer
    permission_classes = (permissions.DjangoModelPermissions,)

设置:

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.DjangoModelPermissions'
    ]
}

问题是我实现的 UserListAPIView 成功地将所有对象的列表返回给不属于 Group 的用户，也没有任何自定义 User权限。在我看来，DjangoModelPermissions 无效。

Answer 1

哎呀，这比我想象的要容易:

class CustomDjangoModelPermission(permissions.DjangoModelPermissions):

    def __init__(self):
        self.perms_map = copy.deepcopy(self.perms_map)  # from EunChong's answer
        self.perms_map['GET'] = ['%(app_label)s.view_%(model_name)s']