Django restful framework 学习使用总结-权限相关 - Restful
0X00 默认权限 permissions 的配置说明:
AllowAny允许任何人调用
Allow any access.
IsAuthenticated只允许认证用户调用(在django auth表中注册的用户)
Allows access only to authenticated users.
IsAdminUser只允许管理员(即可以登录admin后端的用户,
user.is_staffisTrue的用户)Allows access only to admin users.
The IsAdminUser permission class will deny permission to any user, unless
user.is_staffisTruein which case permission will be allowed.IsAuthenticatedOrReadOnly允许任何只读调用,和认证的用户调用
The request is authenticated as a user, or is a read-only request.
DjangoModelPermissions请求认证同django的用户 相关请求 model的权限
The request is authenticated using
django.contrib.authpermissions. See: https://docs.djangoproject.com/en/dev/topics/auth/#permissionsIt ensures that the user is authenticated, and has the appropriate
add/change/deletepermissions on the model.This permission can only be applied against view classes that provide a
.modelor.querysetattribute.DjangoModelPermissionsOrAnonReadOnly同DjangoModelPermissions
Similar to DjangoModelPermissions, except that anonymous users are allowed read-only access.
DjangoObjectPermissions比较少用,需要增加django三方权限库django-guardian.
The request is authenticated using Django's object-level permissions. It requires an object-permissions-enabled backend, such as Django Guardian.
It ensures that the user is authenticated, and has the appropriate
add/change/deletepermissions on the object using .has_perms.This permission can only be applied against view classes that provide a
.modelor.querysetattribute.
0X01 默认认证说明:
BasicAuthenticationThis authentication scheme uses HTTP Basic Authentication, signed against a user's username and password. Basic authentication is generally only appropriate for testing.
基本的 http 验证,仅验证用户名和密码,仅用于测试使用。
SessionAuthenticationThis authentication scheme uses Django's default session backend for authentication. Session authentication is appropriate for AJAX clients that are running in the same session context as your website.
此种认证发难使用 django的默认sesstion方式 。适用于那些在同一个session交互的 ajax 的客户端或网站。
TokenAuthenticationThis authentication scheme uses a simple token-based HTTP Authentication scheme. Token authentication is appropriate for client-server setups, such as native desktop and mobile clients.
此验证方案使用一个简单的基于令牌的HTTP认证。令牌认证适用于客户端 - 服务器设置,如本机桌面和移动客户端。
0X02 自定义认证和权限
认证
继承 BaseAuthentication 类并重写 .authenticate(self, request) 方法。
权限
继承 BasePermission 类重写 .has_permission(self, request, view) 或 .has_object_permission(self, request, view, obj) 方法。
0X03 使用方法
方法一 :
将配置信息放在django的setting文件中:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
)
}
方法二:
直接放在接口 views中
# class 视图
class ExampleView(APIView):
authentication_classes = (SessionAuthentication, BasicAuthentication)
permission_classes = (IsAuthenticated,)
def get(self, request, format=None):
content = {
'user': unicode(request.user), # `django.contrib.auth.User` instance.
'auth': unicode(request.auth), # None
}
return Response(content)
# func 视图
@api_view(['GET'])
@authentication_classes((SessionAuthentication, BasicAuthentication))
@permission_classes((IsAuthenticated,))
def example_view(request, format=None):
content = {
'user': unicode(request.user), # `django.contrib.auth.User` instance.
'auth': unicode(request.auth), # None
}
return Response(content)