1. 權限的基本使用
對於不同的視圖應該有不同的訪問權限,下面是權限的基本使用:
permission.py:
class MyPermission1:
def has_permission(self, request, view):
# 超級用戶可以訪問
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用戶可以訪問,超級用戶不可以訪問
if request.user.user_type == 3:
return False
return True
views.py:
from rest_framework.views import APIView
from .models import User, UserToken
from django.http import JsonResponse
from utils.md5 import md5
from django.http import HttpResponse
from app import permission
class AuthView(APIView):
authentication_classes = []
def post(self, request, *args, **kwargs):
ret = {'code': 1000, 'msg': None}
try:
# 需要以form-data的方式提交
name = request._request.POST.get('name')
pwd = request._request.POST.get('pwd')
instance = User.objects.filter(name=name, pwd=pwd).first() # User object (1),
print(type(instance)) # <class 'app.models.User'>,加不加all()結果一樣
print(instance) # User object (1),加不加all()結果一樣
if not instance:
ret['code'] = 1001
ret['msg'] = '用戶名或密碼錯誤'
else:
token = md5(name=name)
UserToken.objects.update_or_create(user=instance, defaults={'token': token})
ret['token'] = token
except Exception as e:
ret['code'] = 1001
ret['msg'] = '請求異常'
return JsonResponse(ret)
class OrderView(APIView):
# 需要認證,使用自定義的Authenticate類來認證,已經在全局中做了認證
# authentication_classes = [FirstAuthenticate, Authenticate, ]
permission_classes = [permission.MyPermission2, ]
def get(self, request, *args, **kwargs):
# request.user
# request.auth
print(request.user) # User object (1)
print(request.auth) # print(request.auth)#User object (1)
"""
權限:
if request.user.user_type != 3:
return HttpResponse('無權訪問')
"""
self.dispatch
order_dict = {
1: {
'name': "thanlon",
'age': 24,
'gender': '男',
},
2: {
'name': "kiku",
'age': 26,
'gender': '女',
},
}
# token = request._request.GET.get('token')
ret = {'code': 1000, "msg": None, 'data': None}
try:
ret['data'] = order_dict
except Exception as e:
pass
return JsonResponse(ret)
使用權限MyPermission1,普通用訪問拒絕:
使用MyPermission2,普通用戶正常訪問:
2. 權限源碼流程
通過源碼熟悉權限的流程:
可以在自定的權限類中自定義權限拒絕的message:
class MyPermission1:
message = '必須是超級用戶纔可以訪問'
def has_permission(self, request, view):
# 超級用戶可以訪問
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用戶可以訪問,超級用戶不可以訪問
if request.user.user_type == 3:
return False
return True
3. 全局權限配置
根據權限的流程,可以對權限進行全局的配置:
settings.py:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ['app.permission.MyPermission1', ] # 所有的視圖對應的方法都被加上這樣的權限
}
permission.py:
class MyPermission1:
message = '必須是超級用戶纔可以訪問'
def has_permission(self, request, view):
# 超級用戶可以訪問
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用戶可以訪問,超級用戶不可以訪問
if request.user.user_type == 3:
return False
return True
源碼流程概述:
1. self.dispatch
2. def dispatch(self, request, *args, **kwargs)
3. self.initial(request, *args, **kwargs)
4. self.check_permissions(request)
5. def get_permissions(self)
6. permission.has_permission(request, self)
4. 內置權限類
Django REST framework內置了一些權限類:
按照代碼規範,我們自己寫的權限類應該繼承這個BasePermission權限類:
from rest_framework.permissions import BasePermission
class MyPermission1(BasePermission):
def has_permission(self, request, view):
return True
class MyPermission2(BasePermission):
def has_permission(self, request, view):
return True
這裏的權限類基本上都是基於Django來做的,我們一般不使用這些類,而是自己定製。