2. 程式人生 > >Django rest framework 許可權操作(原始碼分析二)

Django rest framework 許可權操作(原始碼分析二)

阿新 發佈:2018-11-09

知識回顧 

這一篇是基於上一篇寫的,上一篇謝了認證的具體流程,看懂了上一篇這一篇才能看懂,

當用戶訪問是 首先執行dispatch函式,當執行當第二部時:

   #2.處理版本資訊 處理認證資訊 處理許可權資訊 對使用者的訪問頻率進行限制
            self.initial(request, *args, **kwargs)

進入到initial方法:

複製程式碼 
 def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        
 
"""
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
 

        #2.1處理版本資訊
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        #2.2處理認證資訊
        self.perform_authentication(request)
        
 
#2.3處理許可權資訊
        self.check_permissions(request)
        #2.4對使用者的訪問頻率進行限制
        self.check_throttles(request)
複製程式碼 
 #2.3處理許可權資訊
        self.check_permissions(request)

下面 開始 許可權的具體分析:

進入到check_permissions函式中

複製程式碼 
 #檢查許可權
    def check_permissions(self, request):
        """
        Check if the request should be permitted.
        Raises an appropriate exception if the request is not permitted.
        """
        #elf.get_permissions()得到的是一個許可權物件列表
        for permission in self.get_permissions():
            #在自定義的Permission中has_permission方法是必須要有的
            #判斷當前has_permission返回的是True,False,還是丟擲異常
            #如果是True則表示許可權通過,False執行下面程式碼
            if not permission.has_permission(request, self):
                #為False的話則丟擲異常,當然這個異常返回的提示資訊是英文的,如果我們想讓他顯示我們自定義的提示資訊
                #我們重寫permission_denied方法即可
                self.permission_denied(
                    #從自定義的Permission類中獲取message(許可權錯誤提示資訊),一般自定義的話都建議寫上,如果沒有則為預設的(英文提示)
                    request, message=getattr(permission, 'message', None)
                )
複製程式碼

檢視permission_denied方法(如果has_permission返回True則不執行該方法)

複製程式碼 
 def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """
        if request.authenticators and not request.successful_authenticator:
            #沒有登入提示的錯誤資訊
            raise exceptions.NotAuthenticated()
        #一般是登陸了但是沒有許可權提示
        raise exceptions.PermissionDenied(detail=message)
複製程式碼

 

舉例:

from django.db import models

# Create your models here.
class Userinfo(models.Model):
    name=models.CharField(max_length=32,verbose_name='使用者名稱')
    pwd=models.CharField(max_length=32,verbose_name='密碼')
    token=models.CharField(max_length=64,null=True)

    def __str__(self):
        return self.name
models 
urlpatterns = [
    url(r'^p/', app02_views.Pview.as_view()),
    url(r'^mp/', app02_views.Aview.as_view()),
    url(r'^jp/', app02_views.Jview.as_view()),
]
urls 
from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions


from app01 import models
# Create your views here.

class MyAuthentication(BaseAuthentication):

    def authenticate(self, request):
        token=request.query_params.get('token')
        user=models.Userinfo.objects.filter(token=token).first()
        if user:
            return (user.name,user)
        return None

class MyPermission(object):
    message = '登入才可以訪問'
    def has_permission(self,request, view):
        if request.user:
            return True
        return False

class AdminPermission(object):
    message = '會員才可以訪問'
    def has_permission(self,request,view):
        if request.user=='ctz':
            return True
        return False

class Pview(APIView):
    '''
    所有人都可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = []
    def get(self,request):
        return Response('圖片列表')
    def post(self,request):
        pass




class Aview(APIView):
    '''
    登入的人可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,]
    def get(self,request):
        return Response('美國電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)

class Jview(APIView):
    '''
    會員才可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,AdminPermission,]
    def get(self,request):
        return Response('日本電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)
Views

上面的是區域性的只能在當前類中可以用,如果想在全域性中用:只需要在settings中配置即可:

from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions

from app02.utils import MyPermission
#
#
from app01 import models
# # Create your views here.
#
# class MyAuthentication(BaseAuthentication):
#
#     def authenticate(self, request):
#         token=request.query_params.get('token')
#         user=models.Userinfo.objects.filter(token=token).first()
#         if user:
#             return (user.name,user)
#         return None
#
# class MyPermission(object):
#     message = '登入才可以訪問'
#     def has_permission(self,request, view):
#         if request.user:
#             return True
#         return False
#
# class AdminPermission(object):
#     message = '會員才可以訪問'
#     def has_permission(self,request,view):
#         if request.user=='ctz':
#             return True
#         return False

class Pview(APIView):
    '''
    所有人都可以看
    '''

    permission_classes = []
    def get(self,request):
        return Response('圖片列表')
    def post(self,request):
        pass




class Aview(APIView):
    '''
    登入的人可以看
    '''
  #  authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,]
    def get(self,request):
        return Response('美國電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)

class Jview(APIView):
    '''
    會員才可以看
    '''
    # authentication_classes = [MyAuthentication,]
    # permission_classes = [MyPermission,AdminPermission,]
    def get(self,request):
        return Response('日本電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)
Views 
from django.shortcuts import render

from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions
from rest_framework.exceptions import APIException


from app01 import models
# Create your views here.

class MyAuthentication(BaseAuthentication):

    def authenticate(self, request):
        token=request.query_params.get('token')
        user=models.Userinfo.objects.filter(token=token).first()
        if user:
            return (user.name,user)
        return None

class MyPermission(object):
    message = '登入才可以訪問'
    def has_permission(self,request, view):
        if request.user:
            return True
        return False

class AdminPermission(object):
    message = '會員才可以訪問'
    def has_permission(self,request,view):
        if request.user=='ctz':
            return True
        return False
utils 
REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
    'UNAUTHENTICATED_TOKEN': None,
    "DEFAULT_AUTHENTICATION_CLASSES": [
      # "app01.utils.MyAuthentication",
        "app02.utils.MyAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES":[
       "app02.utils.MyPermission",
       "app02.utils.AdminPermission",
    ],
}
settings

 

知識回顧 

這一篇是基於上一篇寫的,上一篇謝了認證的具體流程,看懂了上一篇這一篇才能看懂,

當用戶訪問是 首先執行dispatch函式,當執行當第二部時:

   #2.處理版本資訊 處理認證資訊 處理許可權資訊 對使用者的訪問頻率進行限制
            self.initial(request, *args, **kwargs)

進入到initial方法:

複製程式碼 
 def initial(self, request, *args, **kwargs):
        """
        Runs anything that needs to occur prior to calling the method handler.
        """
        self.format_kwarg = self.get_format_suffix(**kwargs)

        # Perform content negotiation and store the accepted info on the request
        neg = self.perform_content_negotiation(request)
        request.accepted_renderer, request.accepted_media_type = neg

        # Determine the API version, if versioning is in use.
        #2.1處理版本資訊
        version, scheme = self.determine_version(request, *args, **kwargs)
        request.version, request.versioning_scheme = version, scheme

        # Ensure that the incoming request is permitted
        #2.2處理認證資訊
        self.perform_authentication(request)
        #2.3處理許可權資訊
        self.check_permissions(request)
        #2.4對使用者的訪問頻率進行限制
        self.check_throttles(request)
複製程式碼 
 #2.3處理許可權資訊
        self.check_permissions(request)

下面 開始 許可權的具體分析:

進入到check_permissions函式中

複製程式碼 
 #檢查許可權
    def check_permissions(self, request):
        """
        Check if the request should be permitted.
        Raises an appropriate exception if the request is not permitted.
        """
        #elf.get_permissions()得到的是一個許可權物件列表
        for permission in self.get_permissions():
            #在自定義的Permission中has_permission方法是必須要有的
            #判斷當前has_permission返回的是True,False,還是丟擲異常
            #如果是True則表示許可權通過,False執行下面程式碼
            if not permission.has_permission(request, self):
                #為False的話則丟擲異常,當然這個異常返回的提示資訊是英文的,如果我們想讓他顯示我們自定義的提示資訊
                #我們重寫permission_denied方法即可
                self.permission_denied(
                    #從自定義的Permission類中獲取message(許可權錯誤提示資訊),一般自定義的話都建議寫上,如果沒有則為預設的(英文提示)
                    request, message=getattr(permission, 'message', None)
                )
複製程式碼

檢視permission_denied方法(如果has_permission返回True則不執行該方法)

複製程式碼 
 def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """
        if request.authenticators and not request.successful_authenticator:
            #沒有登入提示的錯誤資訊
            raise exceptions.NotAuthenticated()
        #一般是登陸了但是沒有許可權提示
        raise exceptions.PermissionDenied(detail=message)
複製程式碼

 

舉例:

from django.db import models

# Create your models here.
class Userinfo(models.Model):
    name=models.CharField(max_length=32,verbose_name='使用者名稱')
    pwd=models.CharField(max_length=32,verbose_name='密碼')
    token=models.CharField(max_length=64,null=True)

    def __str__(self):
        return self.name
models 
urlpatterns = [
    url(r'^p/', app02_views.Pview.as_view()),
    url(r'^mp/', app02_views.Aview.as_view()),
    url(r'^jp/', app02_views.Jview.as_view()),
]
urls 
from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions


from app01 import models
# Create your views here.

class MyAuthentication(BaseAuthentication):

    def authenticate(self, request):
        token=request.query_params.get('token')
        user=models.Userinfo.objects.filter(token=token).first()
        if user:
            return (user.name,user)
        return None

class MyPermission(object):
    message = '登入才可以訪問'
    def has_permission(self,request, view):
        if request.user:
            return True
        return False

class AdminPermission(object):
    message = '會員才可以訪問'
    def has_permission(self,request,view):
        if request.user=='ctz':
            return True
        return False

class Pview(APIView):
    '''
    所有人都可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = []
    def get(self,request):
        return Response('圖片列表')
    def post(self,request):
        pass




class Aview(APIView):
    '''
    登入的人可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,]
    def get(self,request):
        return Response('美國電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)

class Jview(APIView):
    '''
    會員才可以看
    '''
    authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,AdminPermission,]
    def get(self,request):
        return Response('日本電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)
Views

上面的是區域性的只能在當前類中可以用,如果想在全域性中用:只需要在settings中配置即可:

from django.shortcuts import render
from rest_framework.views import APIView
from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions

from app02.utils import MyPermission
#
#
from app01 import models
# # Create your views here.
#
# class MyAuthentication(BaseAuthentication):
#
#     def authenticate(self, request):
#         token=request.query_params.get('token')
#         user=models.Userinfo.objects.filter(token=token).first()
#         if user:
#             return (user.name,user)
#         return None
#
# class MyPermission(object):
#     message = '登入才可以訪問'
#     def has_permission(self,request, view):
#         if request.user:
#             return True
#         return False
#
# class AdminPermission(object):
#     message = '會員才可以訪問'
#     def has_permission(self,request,view):
#         if request.user=='ctz':
#             return True
#         return False

class Pview(APIView):
    '''
    所有人都可以看
    '''

    permission_classes = []
    def get(self,request):
        return Response('圖片列表')
    def post(self,request):
        pass




class Aview(APIView):
    '''
    登入的人可以看
    '''
  #  authentication_classes = [MyAuthentication,]
    permission_classes = [MyPermission,]
    def get(self,request):
        return Response('美國電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)

class Jview(APIView):
    '''
    會員才可以看
    '''
    # authentication_classes = [MyAuthentication,]
    # permission_classes = [MyPermission,AdminPermission,]
    def get(self,request):
        return Response('日本電影列表')
    def post(self,request):
        pass

    def permission_denied(self, request, message=None):
        """
        If request is not permitted, determine what kind of exception to raise.
        """

        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated('無權訪問')
        raise exceptions.PermissionDenied(detail=message)
Views 
from django.shortcuts import render

from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.response import Response
from rest_framework import exceptions
from rest_framework.exceptions import APIException


from app01 import models
# Create your views here.

class MyAuthentication(BaseAuthentication):

    def authenticate(self, request):
        token=request.query_params.get('token')
        user=models.Userinfo.objects.filter(token=token).first()
        if user:
            return (user.name,user)
        return None

class MyPermission(object):
    message = '登入才可以訪問'
    def has_permission(self,request, view):
        if request.user:
            return True
        return False

class AdminPermission(object):
    message = '會員才可以訪問'
    def has_permission(self,request,view):
        if request.user=='ctz':
            return True
        return False
utils 
REST_FRAMEWORK = {
    'UNAUTHENTICATED_USER': None,
    'UNAUTHENTICATED_TOKEN': None,
    "DEFAULT_AUTHENTICATION_CLASSES": [
      # "app01.utils.MyAuthentication",
        "app02.utils.MyAuthentication",
    ],
    "DEFAULT_PERMISSION_CLASSES":[
       "app02.utils.MyPermission",
       "app02.utils.AdminPermission",
    ],
}
settings

 

相關推薦

Django rest framework 許可權操作(原始碼分析)

知識回顧  這一篇是基於上一篇寫的,上一篇謝了認證的具體流程,看懂了上一篇這一篇才能看懂, 當用戶訪問是 首先執行dispatch函式,當執行當第二部時: #2.處理版本資訊 處理認證資訊 處理許可權資訊 對使用者的訪問頻率進行限制 self

Django rest framework 版本控制(原始碼分析四)

基於上述分析 #2.處理版本資訊 處理認證資訊 處理許可權資訊 對使用者的訪問頻率進行限制 self.initial(request, *args, **kwargs) #2.1處理版本資訊 #version代表版本

Django-Rest-Framework 許可權管理原始碼淺析

許可權管理簡單介紹 在django的views中不論是用類方式還是用裝飾器方式來使用rest框架,django_rest_frame實現許可權管理都需要兩個東西的配合:authentication_classes 和 permission_classes # 方式1: 裝飾器 from rest_fram

rest-framework的APIview原始碼分析,Serializer及解析器原始碼分析

rest-framework 1.安裝 方式一:pip3 install djangorestframework 方式二:pycharm圖形化介面安裝 方式三:pycharm命令列下安裝(裝在當前工程所用的直譯器下) 2.djangorestframework的APIVi

Django REST framework 許可權

許可權Permissions 許可權控制可以限制使用者對於檢視的訪問和對於具體資料物件的訪問。 在執行檢視的dispatch()方法前,會先進行檢視訪問許可權的判斷 在通過get_object()獲取具體物件時,會進行物件訪問許可權的判斷 使用 可以在配置檔案中設定預設的許可權管理類

django-rest-framework檢視層的使用()

上一章節我們講了serializers層的各種寫法,本章介紹view層的寫法 一、使用APIView的寫法見上一章節 二、使用mixins和generics書寫檢視層 1、ser

django rest framework許可權管理實戰

前言 本文標題為實戰,那麼希望你已經搭建好了環境。如果沒有,請參考官方文件進行環境搭建: 官方教程 通過學習這個例子,你可以學到: 如何使用django rest framework去實現RESTful api 學會如何進行許可權控制 希望對rest fra

Django Rest Framework之Tutorial 4分析與實踐

前言 在DRF所有的練習中,Tutorial 4算是比較難以理解的一部分,因此對這一節做一分析。在開始閱讀之前,強烈建議你完成Tutorial 1-3的所有內容,我們以下所有的內容都會用到前面三個練習的程式碼。 知識準備 主鍵:若某一個屬性組(注意是組)

DRF Django REST framework 之 解析器(

引入 Django Rest framework幫助我們實現了處理application/json協議請求的資料,如果不使用DRF,直接從 request.body 裡面拿到原始的客戶端請求的位元組資料,經過 decode ,然後 json 反序列化

Django rest framework 權限操作(源碼分析)

prop 源碼 display rtc body app ffi 代碼 tin 知識回顧 這一篇是基於上一篇寫的,上一篇謝了認證的具體流程,看懂了上一篇這一篇才能看懂, 當用戶訪問是 首先執行dispatch函數,當執行當第二部時: #2.處理版本信息

Django rest framework原始碼分析(2)----許可權

目錄 新增許可權 (1)API/utils資料夾下新建premission.py檔案,程式碼如下: message是當沒有許可權時,提示的資訊 # utils/permission.py class SVIPPremission(object): message =

Django rest framework 的認證流程(原始碼分析一)

一、基本流程舉例: urlpatterns = [ url(r'^admin/', admin.site.urls), url(r'^users/', views.HostView.as_view()), ] urls

Django rest framework 限制訪問頻率(原始碼分析三)

  基於  當用發出請求時 首先執行dispatch函式,當執行當第二部時: #2.處理版本資訊 處理認證資訊 處理許可權資訊 對使用者的訪問頻率進行限制 self.initial(request, *args, **kwargs)

3---Django rest framework原始碼分析(3)----節流

Django rest framework原始碼分析(3)----節流 目錄 新增節流 自定義節流的方法  限制60s

Django rest framework原始碼分析(4)----版本

目錄 版本  新建一個工程Myproject和一個app名為api (1)api/models.py from django.db import models class UserInfo(models.Model): USER_TYPE = ( (1,'普通

Django rest framework原始碼分析(1)----認證

目錄 一、基礎 1.1.安裝 兩種方式: pip install djangorestframework 1.2.需要先了解的一些知識 理解下面兩個知識點非常重要,django-rest-framework原始碼中到處都是基於CBV和麵向物件的封裝 (1)面向物件封裝的兩大特性

Django rest framework原始碼分析(3)----節流

目錄 新增節流 自定義節流的方法  限制60s內只能訪問3次 (1)API資料夾下面新建throttle.py,程式碼如下: # utils/throttle.py from rest_framework.throttling import BaseThrottle impo

django-rest-framework-原始碼解析004-三大驗證(認證/許可權/限流)

三大驗證模組概述 在DRF的APIView重寫的dispatch方法中,  self.initial(request, *args, **kwargs) 這句話就是執行三大驗證的邏輯, 點進去可以看到依次執行的就是認證(authentication)/許可權(permission

python-django rest framework框架之dispatch方法源碼分析

pytho fault quest 變量 miss imp ons esp cati 1.Django的 CBV 中在請求到來之後,都要執行dispatch方法,dispatch方法根據請求方式不同觸發 get/post/put等方法 class APIView(View

Django Rest Framework源碼剖析()-----權限

www. 基於 framework suffix 生效 ted AI try exce 一、簡介 在上一篇博客中已經介紹了django rest framework 對於認證的源碼流程,以及實現過程,當用戶經過認證之後下一步就是涉及到權限的問題。比如訂單的業務只