rest-framework之權限組件

權限

權限

做用 : 校驗用戶是否有權限訪問

• 檢測權限確定是在用戶認證經過以後,全部能夠直接在request中取出用戶作判斷
• 先定義一個類,繼承 BasePermission.

from rest_framework.permissions import BasePermission
class myPermission(BasePermission):
    #權限認證失敗的提示信息....
    message = '不是超超級用戶，查看不了'
    def has_permission(self, request, view):
        if request.user.usertyle != 3:
            return False
        else:
            return True

• 局部使用:只須要在視圖類中加入

permission_classes=[myPermission,]

• 全局使用 setting中設置 導入本身建立的類的函數的位置

REST_FRAMEWORK={
 "DEFAULT_AUTHENTICATION_CLASSES":                   ["app01.service.auth.Authentication",],
  "DEFAULT_PERMISSION_CLASSES":["app01.service.permissions.SVIPPermission",]
}

權限類使用順序

權限類使用順序：先用視圖類中的權限類，再用settings裏配置的權限類，最後用默認的權限類

局部使用例子

1. models 層

class User(models.Model):
    username=models.CharField(max_length=32)
    password=models.CharField(max_length=32)
    user_type=models.IntegerField(choices=((1,'超級用戶'),(2,'普通用戶'),(3,'二筆用戶')))

class UserToken(models.Model):
    user=models.OneToOneField(to='User')
    token=models.CharField(max_length=64)

1. 新建認證類(驗證經過return兩個參數)

from rest_framework.permissions import BasePermission
class myPermission(BasePermission):
    message = '不是超超級用戶，查看不了'
    def has_permission(self, request, view):
        #檢測是否有權限
        if request.user.usertyle != 3:
            return False
        else:
            return True

1. view層

from app01.auth import myAuthen
from app01.auth import myPermission

class Book(APIView):
    authentication_classes = [myAuthen, ]
    permission_classes=[myPermission,]

    def get(self, request):
        response = MyResponse()
        
        print(request.user.name)
        print(request.auth.token)
        # 必須登錄才能訪問
        books = models.Book.objects.all()
        ret = myserial.BookSer(instance=books, many=True)
        response.msg = '查詢成功'
        response.data = ret.data
        return JsonResponse(response.get_dic, safe=False)

第二個例子

from rest_framework.permissions import BasePermission
class UserPermission(BasePermission):
    message = '不是超級用戶，查看不了'
    def has_permission(self, request, view):
        # user_type = request.user.get_user_type_display()
        # if user_type == '超級用戶':
        user_type = request.user.user_type
        print(user_type)
        if user_type == 1:
            return True
        else:
            return False
class Course(APIView):
    authentication_classes = [TokenAuth, ]
    permission_classes = [UserPermission,]

    def get(self, request):
        return HttpResponse('get')

    def post(self, request):
        return HttpResponse('post')

全局使用 在setting中添加

REST_FRAMEWORK={
    "DEFAULT_AUTHENTICATION_CLASSES":["app01.service.auth.Authentication",],
    "DEFAULT_PERMISSION_CLASSES":["app01.service.permissions.SVIPPermission",]
}

源碼分析

def check_permissions(self, request):
    for permission in self.get_permissions():
        if not permission.has_permission(request, self):
            self.permission_denied(
                request, message=getattr(permission, 'message', None)
                )

self.get_permissions()

def get_permissions(self):
     return [permission() for permission in self.permission_classes]

大帥逼的連接