使用DRF内置的权限类

未经身份验证的用户,拒绝访问

  1. permissions.IsAuthenticated

未经身份验证的用户,只读

  1. permissions.IsAuthenticatedOrReadOnly
  1. from rest_framework import generics, permissions
  4. class DomainList(generics.ListCreateAPIView):
  5.     queryset = Domain.objects.all()
  6.     serializer_class = DomainSerializer
  7.     filter_class = DomainFilter
  8.     permission_classes = [permissions.IsAuthenticated, ]

自定义权限类

  1. from rest_framework import permissions
  4. class IsOwnerOrReadOnly(permissions.BasePermission):
  5.     """
  6.     自定义权限只允许对象的所有者编辑它。
  7.     """
  9.     def has_object_permission(self, request, view, obj):
  10.         # 读取权限允许任何请求,
  11.         # 所以我们总是允许GET,HEAD或OPTIONS请求。
  12.         if request.method in permissions.SAFE_METHODS:
  13.             return True
  15.         # 只有该snippet的所有者才允许写权限。
  16.         return obj.owner == request.user
  1. from rest_framework import generics, permissions
  2. from .permissions import IsOwnerOrReadOnly
  5. class DomainList(generics.ListCreateAPIView):
  6.     queryset = Domain.objects.all()
  7.     serializer_class = DomainSerializer
  8.     filter_class = DomainFilter
  9.     permission_classes = [permissions.IsAuthenticated,
  10.                          IsOwnerOrReadOnly]

相关文档

https://q1mi.github.io/Django-REST-framework-documentation/api-guide/permissions_zh/