一、简介
本篇文章主要介绍drf权限组件的快速使用,并从源码角度分析drf权限组件的调用过程
二、快速使用
①与认证组件一样,需要在除开views.py的任意地方定义一个权限组件
# ext/per.py
from rest_framework.permissions import BasePermission
from rest_framework.exceptions import PermissionDenied
import random
class MyPermission(BasePermission):
message = {"code": 203, "data": "你没有该api的权限"}
def has_permission(self, request, view):
# v1取1到3的随机值
v1 = random.randint(1, 3)
# 如果v1等于2则返回ture,否则返回false
if v1 == 2:
return True
# raise PermissionDenied({"code": 203, "data": "你没有该api的权限"})
return False
自定义错误返回,如上代码所示有两种方式,一种是自定义message,另一种是 raise PermissionDenied
②在settings.py中全局引用编写的认证组件
# day13/settings.py
REST_FRAMEWORK = {
# 匿名用户
'UNAUTHENTICATED_USER': None,
# 认证组件
'DEFAULT_AUTHENTICATION_CLASSES': [
'ext.auth.QueryParamsAuthentication',
'ext.auth.HeaderAuthentication',
'ext.auth.NoAuthentication',
],
# 权限组件
'DEFAULT_PERMISSION_CLASSES': [
'ext.per.MyPermission',
],
}
③测试接口
访问user接口,因为做的是随机值判定,因此有无权限都是有一定几率的
有权限:
无权限:
三、源码分析
①首先找到APIView中的dispatch方法,其源码如下:
def dispatch(self, request, *args, **kwargs):
"""
`.dispatch()` is pretty much the same as Django's regular dispatch,
but with extra hooks for startup, finalize, and exception handling.
"""
self.args = args
self.kwargs = kwargs
request = self.initialize_request(request, *args, **kwargs)
self.request = request
self.headers = self.default_response_headers # deprecate?
try:
self.initial(request, *args, **kwargs)
# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
else:
handler = self.http_method_not_allowed
response = handler(request, *args, **kwargs)
except Exception as exc:
response = self.handle_exception(exc)
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response
如同分析认证组件一样,这次仍然是关注下面这段代码
self.initial(request, *args, **kwargs)
这时就去查看initial做了什么,其源码如下:
def initial(self, request, *args, **kwargs):
"""
Runs anything that needs to occur prior to calling the method handler.
"""
self.format_kwarg = self.get_format_suffix(**kwargs)
# Perform content negotiation and store the accepted info on the request
neg = self.perform_content_negotiation(request)
request.accepted_renderer, request.accepted_media_type = neg
# Determine the API version, if versioning is in use.
version, scheme = self.determine_version(request, *args, **kwargs)
request.version, request.versioning_scheme = version, scheme
# Ensure that the incoming request is permitted
self.perform_authentication(request)
self.check_permissions(request)
self.check_throttles(request)
同样,这次我们关注如下代码
self.check_permissions(request)
这里需要提一下,认证组件的self.perform_authentication(request)在权限组件的上方,因此我们可以知道如果代码走到权限组件时,说明认证组件已经通过了,此时的request.user和request.auth就已经存储了我们当前登录的用户和token
当然这里的重点还是查看check_permissions实现的功能,其源码如下:
def check_permissions(self, request):
"""
Check if the request should be permitted.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():
if not permission.has_permission(request, self):
self.permission_denied(
request,
message=getattr(permission, 'message', None),
code=getattr(permission, 'code', None)
)
首先做的是一个for循环,调用了get_permissions()方法
for permission in self.get_permissions():
get_permissions()方法的源码如下:
def get_permissions(self):
return [permission() for permission in self.permission_classes]
实现的将当前对象的permission_classes读取到permission中并实例化,而当前对象的permission_classes未在view中定义,便会去读取APIView中的permission_classes,其定义如下:
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
即读取在settings里面定义的DEFAULT_PERMISSION_CLASSES,如:
REST_FRAMEWORK = {
'UNAUTHENTICATED_USER': None,
'DEFAULT_AUTHENTICATION_CLASSES': [
'ext.auth.QueryParamsAuthentication',
'ext.auth.HeaderAuthentication',
'ext.auth.NoAuthentication',
],
# 权限组件
'DEFAULT_PERMISSION_CLASSES': [
'ext.per.MyPermission',
],
}
回到check_permissions,for循环走完之后,便是判断权限组件中的has_permission()的返回值,如果返回值为True则不执行if语句,如果返回值为Flase则执行if语句
而if语句调用的是permission_denied()方法,其源码如下:
def permission_denied(self, request, message=None, code=None):
if request.authenticators and not request.successful_authenticator:
raise exceptions.NotAuthenticated()
raise exceptions.PermissionDenied(detail=message, code=code)
可见是是一个返回错误的方法,因此,权限组件和认证组件不同,可以将各个不同的权限组件理解为“与”的关系,有一个Flase便会报错
其中raise exceptions.PermissionDenied(detail=message, code=code)的message在check_permissions中传入的值是如下定义的:
message=getattr(permission, 'message', None)
因此第二小节中提到的自定义错误返回有两种方式,其中一种是自定义message,这里将在权限组件中定义的messag作为传入PermissionDenied中,从而作为报错返回值返回
四、补充
之所以要分析源码,不仅是让我们能够理解底层逻辑是如何运作的,还可以让我们更加地灵活处理底层逻辑,前面提到权限组件与认证组件稍有不同,权限组件之间的关系是“与”,如果写在需要将权限组件之间的关系改为“或”应该从哪里入手呢?
回忆上面的源码解析,在处理权限组件之间关系的代码应该是check_permissions,其源码如下:
def check_permissions(self, request):
"""
Check if the request should be permitted.
Raises an appropriate exception if the request is not permitted.
"""
for permission in self.get_permissions():
if not permission.has_permission(request, self):
self.permission_denied(
request,
message=getattr(permission, 'message', None),
code=getattr(permission, 'code', None)
)
其中的if语句便是导致“与”关系的原因,只要有一个权限组件返回的Flase,便会调用permission_denied报错,因此如果需要该写权限组件之间的关系,便需要重写该方法,回到代码当中,调用此方法的self其实就是定义在views中的类,如OrderView,UserView等,因此将其代码修改如下:
class OrderView(APIView):
def check_permissions(self, request):
for permission in self.get_permissions():
# 如果有返回Ture的权限组件则直接return,不用再向后执行
if permission.has_permission(request, self):
return
# 当所有的权限组件都返回的Flase时,则执行报错
self.permission_denied(
request,
message=getattr(permission, 'message', None),
code=getattr(permission, 'code', None)
)
def get(self, request):
return Response({'code': 0, 'data': ['番茄炒蛋', '鸡米芽菜']})