1. 权限的基本使用
对于不同的视图应该有不同的访问权限,下面是权限的基本使用:
permission.py:
class MyPermission1:
def has_permission(self, request, view):
# 超级用户可以访问
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用户可以访问,超级用户不可以访问
if request.user.user_type == 3:
return False
return True
views.py:
from rest_framework.views import APIView
from .models import User, UserToken
from django.http import JsonResponse
from utils.md5 import md5
from django.http import HttpResponse
from app import permission
class AuthView(APIView):
authentication_classes = []
def post(self, request, *args, **kwargs):
ret = {'code': 1000, 'msg': None}
try:
# 需要以form-data的方式提交
name = request._request.POST.get('name')
pwd = request._request.POST.get('pwd')
instance = User.objects.filter(name=name, pwd=pwd).first() # User object (1),
print(type(instance)) # <class 'app.models.User'>,加不加all()结果一样
print(instance) # User object (1),加不加all()结果一样
if not instance:
ret['code'] = 1001
ret['msg'] = '用户名或密码错误'
else:
token = md5(name=name)
UserToken.objects.update_or_create(user=instance, defaults={'token': token})
ret['token'] = token
except Exception as e:
ret['code'] = 1001
ret['msg'] = '请求异常'
return JsonResponse(ret)
class OrderView(APIView):
# 需要认证,使用自定义的Authenticate类来认证,已经在全局中做了认证
# authentication_classes = [FirstAuthenticate, Authenticate, ]
permission_classes = [permission.MyPermission2, ]
def get(self, request, *args, **kwargs):
# request.user
# request.auth
print(request.user) # User object (1)
print(request.auth) # print(request.auth)#User object (1)
"""
权限:
if request.user.user_type != 3:
return HttpResponse('无权访问')
"""
self.dispatch
order_dict = {
1: {
'name': "thanlon",
'age': 24,
'gender': '男',
},
2: {
'name': "kiku",
'age': 26,
'gender': '女',
},
}
# token = request._request.GET.get('token')
ret = {'code': 1000, "msg": None, 'data': None}
try:
ret['data'] = order_dict
except Exception as e:
pass
return JsonResponse(ret)
使用权限MyPermission1,普通用访问拒绝:
使用MyPermission2,普通用户正常访问:
2. 权限源码流程
通过源码熟悉权限的流程:
可以在自定的权限类中自定义权限拒绝的message:
class MyPermission1:
message = '必须是超级用户才可以访问'
def has_permission(self, request, view):
# 超级用户可以访问
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用户可以访问,超级用户不可以访问
if request.user.user_type == 3:
return False
return True
3. 全局权限配置
根据权限的流程,可以对权限进行全局的配置:
settings.py:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ['app.permission.MyPermission1', ] # 所有的视图对应的方法都被加上这样的权限
}
permission.py:
class MyPermission1:
message = '必须是超级用户才可以访问'
def has_permission(self, request, view):
# 超级用户可以访问
if request.user.user_type != 3:
return False
return True
class MyPermission2:
def has_permission(self, request, view):
# 普通用户可以访问,超级用户不可以访问
if request.user.user_type == 3:
return False
return True
源码流程概述:
1. self.dispatch
2. def dispatch(self, request, *args, **kwargs)
3. self.initial(request, *args, **kwargs)
4. self.check_permissions(request)
5. def get_permissions(self)
6. permission.has_permission(request, self)
4. 内置权限类
Django REST framework内置了一些权限类:
按照代码规范,我们自己写的权限类应该继承这个BasePermission权限类:
from rest_framework.permissions import BasePermission
class MyPermission1(BasePermission):
def has_permission(self, request, view):
return True
class MyPermission2(BasePermission):
def has_permission(self, request, view):
return True
这里的权限类基本上都是基于Django来做的,我们一般不使用这些类,而是自己定制。