一、权限示例
需求:不同的用户类型有不同的权限
- 普通用户:只能查看个人信息相关,序号:1
- VIP 用户:只能查看个人信息相关,序号:2
- SVIP 用户:查看订单相关信息,序号:3
1、新建 app/utils/permission.py
:
class SVIPPermission(object):
def has_permission(self, request, view):
"""是否有权限"""
if request.user.user_type != 3:
return False
return True
class MyPermission(object):
"""普通、VIP 用户"""
def has_permission(self, request, view):
"""是否有权限"""
if request.user.user_type == 3:
return False
return True
如果用户类型为 3 即 SVIP,那么就返回 True,否则返回 False。
Note:只有登录后的用户才有
request.user
,即在用户认证的时候,返回用户对象
2、views.py
from django.shortcuts import render, HttpResponse
from rest_framework.views import APIView
from rest_framework.authentication import BasicAuthentication
import hashlib
import time
from app import models
from django.http import JsonResponse
from .utils.auth import MyAuthentication
from .utils.permission import SVIPPermission
class OrderView(APIView):
"""订单管理"""
# authentication_classes = [MyAuthentication, ] # 添加认证(因为已经全局设置了认证,所有就不单独设置了)
permission_classes = [SVIPPermission, ] # 权限
def get(self, request, *args, **kwargs):
ret = {'code': 1000, 'msg': None, 'data': None, }
ret['data'] = ORDER_DICT
print(request.user)
return JsonResponse(ret)
class UserInfo(APIView):
"""用户个人信息"""
permission_classes = [MyPermission, ]
def get(self, request, *args, **kwargs):
user_name = request.user.username
return HttpResponse(user_name)
3、现在带上 token(表示已经登录),查看订单:
SVIP 用户:
4、查看用户个人信息:(rose:普通用户)
5、project/urls.py
:
为了遵循 RESTful API 规范,现在将 URL 修改为如下:
from django.contrib import admin
from django.urls import path
from app.views import IndexView, OrderView, UserInfo
urlpatterns = [
path('admin/', admin.site.urls),
path('api/v1/index/', IndexView.as_view()),
path('api/v1/order/', OrderView.as_view()),
path('api/v1/info/', UserInfo.as_view())
]
二、全局配置
与认证一样,权限也可以全局配置和局部配置,全局配置可以使得所有的视图类生效,需要在 settings
中配置:
REST_FRAMEWORK = {
"DEFAULT_AUTHENTICATION_CLASSES": ['app.utils.auth.MyAuthentication', ],
"UNAUTHENTICATED_USER": lambda: '匿名用户',
"UNAUTHENTICATED_TOKEN": None,
"DEFAULT_PERMISSION_CLASSES": ['app.utils.permission.SVIPPermission'], # 这句
}
如果想配置没有访问权限返回的信息,可以修改 app/utils/permission.py
:
class SVIPPermission(object):
message = '必须 SVIP 才能访问!' # 这句
def has_permission(self, request, view):
"""是否有权限"""
if request.user.user_type != 3:
return False
return True
三、内置权限
rest framework 也有内置的权限 rest_framework/permissions.py
:
@six.add_metaclass(BasePermissionMetaclass)
class BasePermission(object):
"""
A base class from which all permission classes should inherit.
"""
def has_permission(self, request, view):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return True
def has_object_permission(self, request, view, obj):
"""
Return `True` if permission is granted, `False` otherwise.
"""
return True
自定义的权限类,最好要继承 BasePermission
:
# app/utils/permisiion.py
from rest_framework.permissions import BasePermission
class SVIPPermission(BasePermission):
message = '必须 SVIP 才能访问!'
def has_permission(self, request, view):
"""是否有权限"""
if request.user.user_type != 3:
return False
return True
四、权限认证流程(源码)
1、请求过来先执行 dispatch()
方法,dispatch()
方法中 initial()
初始化请求相关信息:
def initial(self, request, *args, **kwargs):
"""
Runs anything that needs to occur prior to calling the method handler.
"""
self.format_kwarg = self.get_format_suffix(**kwargs)
# Perform content negotiation and store the accepted info on the request
neg = self.perform_content_negotiation(request)
request.accepted_renderer, request.accepted_media_type = neg
# Determine the API version, if versioning is in use.
version, scheme = self.determine_version(request, *args, **kwargs)
request.version, request.versioning_scheme = version, scheme
# Ensure that the incoming request is permitted
# 实现认证
self.perform_authentication(request)
# 检查权限
self.check_permissions(request)
self.check_throttles(request)
2、check_permissions()
def check_permissions(self, request):
"""
Check if the request should be permitted.
Raises an appropriate exception if the request is not permitted.(检查是否应该允许请求。
如果不允许请求,则引发适当的异常)
"""
# 权限列表,self.get_permissions() = MyPermission(),调用其中的 has_permission() 方法
for permission in self.get_permissions():
if not permission.has_permission(request, self):
self.permission_denied(
request, message=getattr(permission, 'message', None)
)
从上面可以看到其实权限认证,主要是调用 has_permission()
方法,若我们自定义权限类,只需实现这个方法即可。
self.get_permissions()
其本质是在定义权限类对象列表:[MyPermission(), ]
,具体可见 3
- 若
has_permission()
返回 True,即有权限访问,则不执行self.permission_denied()
- 若访问 False,即无权访问,则执行
self.permission_denied()
,在其中返回的错误信息就是message
所定义的,因此我们也可以自定义message
的内容。
3、get_permissions()
def get_permissions(self):
"""
Instantiates and returns the list of permissions that this view requires.
实例化并返回此视图所需的权限列表。
"""
# permission_classes = [MyPermission, ],返回对象列表
return [permission() for permission in self.permission_classes]
源码流程图
总结
- 自定权限类,需继承
BasePermission
- 类中必须实现
has_permission()
方法 - 全局定义权限(可设置 settings),局部视图类不设置权限认证,可设置
permission_classes = []