前言
在drf开发中,如果有些接口必须同时满足:A条件、B条件、C条件。 有些接口只需要满足:B条件、C条件,此时就可以利用权限组件来编写这些条件。
1、应用
默认情况下,须所有权限类中has_permission方法返回值均为True时,才能通过权限组件;这一点与认证组件不同。
1.1 自定义权限类
from rest_framework.permissions import BasePermission
class UserPermission(BasePermission):
message = {"status": False, 'msg': "无权访问1"} # message使用详见源码分析部分
def has_permission(self, request, view):
if request.user.role == 3:
return True
return False
class ManagerPermission(BasePermission):
message = {"status": False, 'msg': "无权访问2"}
def has_permission(self, request, view):
if request.user.role == 2:
return True
return False
class BossPermission(BasePermission):
message = {"status": False, 'msg': "无权访问2"}
def has_permission(self, request, view):
if request.user.role == 1:
return True
return False
1.2 视图类中应用
class UserView(NbApiView):
# 经理、总监、用户
permission_classes = [BossPermission, ManagerPermission, UserPermission]
def get(self, request):
print(request.user, request.auth)
return Response("UserView")
def post(self, request):
print(request.user, request.auth)
return Response("UserView")
2、权限组件源码分析
2.1 总体流程
2.2 源码
2.2.1 ApiView
class APIView(View):
permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES
def get_permissions(self):
# 列表推导式,获取权限类对象 的列表
return [permission() for permission in self.permission_classes]
def check_permissions(self, request):
for permission in self.get_permissions():
# 如果没有通过权限,通过permission_denied方法报错
if not permission.has_permission(request, self):
self.permission_denied(
request,
message=getattr(permission, 'message', None),
code=getattr(permission, 'code', None)
)
def permission_denied(self, request, message=None, code=None):
if request.authenticators and not request.successful_authenticator:
raise exceptions.NotAuthenticated()
raise exceptions.PermissionDenied(detail=message, code=code)
def initial(self, request, *args, **kwargs):
self.perform_authentication(request) # 认证失败,如果不是匿名用户,则会报错;认证成功,返回元组,内包含request.user,request.auth
self.check_permissions(request) # 权限的校验,==>此时已经具备request.user,request.auth
self.check_throttles(request) # 限流
def dispatch(self, request, *args, **kwargs):
# 第一步:封装request
request = self.initialize_request(request, *args, **kwargs)
self.request = request
try:
self.initial(request, *args, **kwargs)
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
else:
handler = self.http_method_not_allowed
response = handler(request, *args, **kwargs)
except Exception as exc:
response = self.handle_exception(exc)
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response
Class UserView(ApiView):
permission_classes = [类1, 类2, 类3,]
def get(self, reqquest, *args, **kwargs):
return JsonResponse({'code': 10000, 'data': 'xxx'})
2.2.2 源码分析相关类
class PermissionDenied(APIException):
status_code = status.HTTP_403_FORBIDDEN
default_detail = _('You do not have permission to perform this action.')
default_code = 'permission_denied'
class APIException(Exception):
status_code = status.HTTP_500_INTERNAL_SERVER_ERROR
default_detail = _('A server error occurred.')
default_code = 'error'
def __init__(self, detail=None, code=None):
# 如果detail/code分别为空,则分别采用以上默认的default_detail和defaul_code;否则采用传入的detail/code值
if detail is None:
detail = self.default_detail
if code is None:
code = self.default_code
self.detail = _get_error_details(detail, code)
3、权限组件扩展
- 需求:将默认必须同时满足:A条件、B条件、C条件,修改为满足任意一个条件即可;
- 思路:本质上是修改
check_permissions
方法; - 后续视图类中集成以下代码
MyApiView
类中的check_permissions
方法即可;
from rest_framework.views import APIView
class MyApiView(APIView):
def check_permissions(self, request):
no_permission_objects = []
for permission in self.get_permissions():
if permission.has_permission(request, self):
return
else:
no_permission_objects.append(permission)
else:
self.permission_denied(
request,
message=getattr(no_permission_objects[0], 'message', None),
code=getattr(no_permission_objects[0], 'code', None)
)