写了一个特别简单的view:
@csrf_exempt
@login_required()
@authentication_classes([TokenAuthentication])
@permission_classes([IsAdminUser, IsAuthenticated])
def department_management_view(request):if request.method == 'POST':department_name = request.POST.get('department_name')Department.objects.create(name=department_name)all_departments = Department.objects.all()return render(request, 'department_management.html', {"departments": all_departments})
对应的URL:http://localhost/department_management
功能也很简单就是对department数据对象进行增删改查,而且这个对象只有一个字段。
当用一个非“admin”的用户登录系统后,仍然可以访问这个URL,但是本意是只有“admin”用户才可以访问。找了一圈,在rest_framework官方文档中发现了线索,加上@api_view装饰就可以了:
@api_view(['GET', 'POST'])
@csrf_exempt
@login_required()
@authentication_classes([TokenAuthentication])
@permission_classes([IsAdminUser, IsAuthenticated])
def department_management_view(request):if request.method == 'POST':department_name = request.POST.get('department_name')Department.objects.create(name=department_name)all_departments = Department.objects.all()return render(request, 'department_management.html', {"departments": all_departments})
