0
学生不能使用不安全的方法。 我尝试测试它,但失败AssertionError: 201 != 403,而后期的方法打算被禁止。 我的函数获得的权限只在一个特定的情况下,我不明白为什么(在代码强调) 权限:无法达到测试中的DRF权限
class IsTeacherOrReadOnly(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
print (request.method)
print (request.user)
if request.method in permissions.SAFE_METHODS:
return True
print(request.user.staff)
return request.user.staff == 'T'
设置:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
# 'rest_framework.authentication.BasicAuthentication',
# 'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'core.permissions.IsTeacherOrReadOnly',
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_FILTER_BACKENDS': (
'django_filters.rest_framework.DjangoFilterBackend',
),
'TEST_REQUEST_DEFAULT_FORMAT': 'json'
}
测试(我不是知道究竟会是有用的,所以我打算写全功能):
def test_student_API(self):
factory = APIRequestFactory()
User(username='student1', password='qwert1234', staff="S").save()
student = User.objects.get(username='student1')
Token.objects.create(user=student)
self.student_list_api(factory, student)
self.student_detail_api(factory, student)
def student_list_api(self, factory, student):
class_time_list = ClassTimeViewSet.as_view({'get': 'list'})
self._student_list_api_request(factory, student, class_time_list, 'api/v0/classtimes', 8)
def _student_list_api_request(self, factory, student, class_time_list,
url, resp_len):
student_request = factory.get(url)
response_unauthenticated = class_time_list(student_request)
self.assertEqual(response_unauthenticated.status_code,
status.HTTP_401_UNAUTHORIZED)
force_authenticate(student_request, student, token=student.auth_token)
response = class_time_list(student_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(len(response.data), resp_len)
def student_detail_api(self, factory, student):
class_time_detail = ClassTimeViewSet.as_view({'get': 'retrieve'})
student_request = factory.get('api/v0/classtimes')
response_unauthenticated = class_time_detail(student_request, pk=1)
self.assertEqual(response_unauthenticated.status_code, status.HTTP_401_UNAUTHORIZED)
force_authenticate(student_request, student, student.auth_token)
print('--------------')
print('Only in this case permissions is reached')
response = class_time_detail(student_request, pk=1)
print('---------------')
response.render()
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(json.loads(response.content), {
"id": 1,
"lesson_start": "08:30:00",
"lesson_end": "09:15:00"
})
class_time_detail = ClassTimeViewSet.as_view({'post':'create'})
student_request = factory.post('api/v0/classtimes',{'lesson_start':'20:00:00','lesson_end':'20:45:00'},format='json')
force_authenticate(student_request,student,student.auth_token)
response = class_time_detail(student_request)
response.render()
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
输出:
Creating test database for alias 'default'...
System check identified no issues (0 silenced).
----
Only in this case permissions is reached
GET
student1
---
Failure
Traceback (most recent call last):
File "D:\PyProjects\DjangoReact\classtime\tests.py", line 33, in test_student_API
self.student_detail_api(factory, student)
File "D:\PyProjects\DjangoReact\classtime\tests.py", line 83, in student_detail_api
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
AssertionError: 201 != 403
Destroying test database for alias 'default'...