DRF之自定义权限

Posted fqh202

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DRF之自定义权限相关的知识,希望对你有一定的参考价值。

1、增加表字段:

from django.db import models


class UserInfo(models.Model):
    username = models.CharField(max_length=32)
    password = models.CharField(max_length=32)
    email = models.CharField(max_length=64)
    user_type_choices = ((0,'普通用户'),(1,'管理员'))
    user_type = models.IntegerField(choices=user_type_choices,default=0)


class Token(models.Model):
    value = models.CharField(max_length=64)  # session_key
    user = models.OneToOneField(UserInfo)  # 只能登陆一次,再次登陆则会重新生成token值

2、权限源码流程:

# step 1
def dispatch(self, request, *args, **kwargs):
    try:
        self.initial(request, *args, **kwargs)


# step 2    
def initial(self, request, *args, **kwargs):
    self.perform_authentication(request)  # 先进行用户认证
    self.check_permissions(request)  # 随后获取权限


# step 3
def check_permissions(self, request):
    for permission in self.get_permissions():
    
        # 若 has_permission 返回 True 则有权限,反之,无权限
        if not permission.has_permission(request, self):
            self.permission_denied(
                request, message=getattr(permission, 'message', None)
            )


# step 4
def get_permissions(self):
    return [permission() for permission in self.permission_classes]
    

# 默认的AllowAny类允许所有用户登录
class AllowAny(BasePermission):
    def has_permission(self, request, view):
        return True

3、获取默认的权限类:

class UserView(APIView):
    def get(self,request,*args,**kwargs):
        print(self.permission_classes)  # [<class 'rest_framework.permissions.AllowAny'>]
        

from rest_framework.permissions import AllowAny,BasePermission

class AllowAny(BasePermission):
    def has_permission(self, request, view):
        return True

4、自定义权限类:

from rest_framework.permissions import BasePermission


class MyPermission(BasePermission):
    message =  '无权限访问'  # 定制错误信息
    def has_permission(self, request, view):
        # 已经过认证
        user = request._request.user
        if user:
            if user.user_type == 1:
                return True
        return False

class Permission(object):
    # 利用继承指定权限类
    permission_classes = [MyPermission,]
    

5、使用示例:

# 路由
from django.conf.urls import url
from app01.views import UserView,GroupView


urlpatterns = [
    url(r'^users/', UserView.as_view()),
    url(r'^user_groups/', GroupView.as_view()),
]


# 视图
class UserView(Auth,APIView):
    """指定了认证类,只有认证通过才能访问"""
    def get(self,request,*args,**kwargs):
        return HttpResponse('<h1>用户界面</h1>')


class GroupView(Auth,Permission,APIView):
    """指定了认证和权限类,先要通过认证且只有管理者才能访问"""
    def get(self,request,*args,**kwargs):
        return HttpResponse('<h1>用户组界面</h1>')

6、测试:

# alex 为普通用户,对应的token值为 9c4cb1631b3a5ead33fb09f6349c4bc7
# kate 为管理者,对应的token值为 3cfc1dfab9d2b130e44cbf86b1099206

http://127.0.0.1:8000/users/?tk=9c4cb1631b3a5ead33fb09f6349c4bc7
http://127.0.0.1:8000/users/?tk=3cfc1dfab9d2b130e44cbf86b1099206
# 都能正常登陆


http://127.0.0.1:8000/user_groups/?tk=9c4cb1631b3a5ead33fb09f6349c4bc7
'''
HTTP 403 Forbidden
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "detail": "无权限访问"
}
'''


http://127.0.0.1:8000/user_groups/?tk=3cfc1dfab9d2b130e44cbf86b1099206
# 由于是管理用户可以正常访问

以上是关于DRF之自定义权限的主要内容,如果未能解决你的问题,请参考以下文章

DRF项目之自定义分页器

DRF框架之自定义action

Django之自定义权限

ASP.NET WebApi总结之自定义权限验证

DRF:自定义权限被拒绝消息

DRF 05