Django REST framework 学习纪要 Tutorial 4 Authentication & Permissions

#Django REST framework 学习纪要 Tutorial 4 Authentication & Permissions| 来源: 网络整理| 查看: 265

目前为止，我们的代码没有限制谁可以编辑和删除代码片段，此节我们需要实现以下功能

代码片段需要与创建者关联只有通过验证的用户才能创建代码片段只有创建者才能修改或删除代码片段没有通过验证的用户拥有只读权限给model添加字段

我们需要添加两个字段，一个用于存储代码片段的创建者信息，一个用于存储代码的高亮信息

style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100) owner = models.ForeignKey('auth.User', related_name='snippets', on_delete=models.CASCADE) highlighted = models.TextField()

同时，我们需要在该模型类执行保存操作时，自动填充highlighted字段，使用pygments库。首先，导入一些包

from pygments.lexers import get_lexer_by_name from pygments.formatters.html import HtmlFormatter from pygments import highlight

然后为Snippet重写父类的save方法

def save(self, *args, **kwargs): """ use the 'pygments' library to create a highlighted HTML representation of code snippet """ lexer = get_lexer_by_name(self.language) linenos = self.linenos and 'table' or False options = self.title and {'title': self.title} or {} formatter = HtmlFormatter(style=self.style, linenos=linenos, full=True, **options) self.highlighted = highlight(self.code, lexer, formatter) super(Snippet, self).save(*args, **kwargs)

接下来需要迁移数据库，方便起见，删库，然后重新迁移

(django_rest_framework) [root@localhost tutorial]# rm -f tmp.db db.sqlite3 && \ > rm -rf snippets/migrations/ && \ > python manage.py makemigrations snippets && \ > python manage.py migrate Migrations for 'snippets': snippets/migrations/0001_initial.py - Create model Snippet Operations to perform: Apply all migrations: admin, auth, contenttypes, sessions, snippets Running migrations: Applying contenttypes.0001_initial... OK Applying auth.0001_initial... OK Applying admin.0001_initial... OK Applying admin.0002_logentry_remove_auto_add... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying sessions.0001_initial... OK Applying snippets.0001_initial... OK

为了测试API，我们需要创建一些用户，最快的方式就是通过createsuperuser命令

(django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser Username (leave blank to use 'root'): song Email address: [email protected] Password: Password (again): Superuser created successfully. (django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser Username (leave blank to use 'root'): user_1 Email address: [email protected] Password: Password (again): Superuser created successfully. (django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser Username (leave blank to use 'root'): user_2 Email address: [email protected] Password: Password (again): Superuser created successfully. 为用户模型添加接口

我们已经创建了三个用户，现在我们需要添加用户相关的接口，修改serializers.py

from django.contrib.auth.models import User class UserSerializer(serializers.ModelSerializer): snippets = serializers.PrimaryKeyRelatedField(many=True, queryset=Snippet.objects.all()) class Meta: model = User fields = ('id', 'username', 'snippets')

因为snippets和user是一种反向的关联，默认不会包含入ModelSerializer类中，所以需要我们手动添加

我们也需要对views.py进行修改，由于用户页面为只读，所以继承于ListAPIView和RetrieveAPIView类

from django.contrib.auth.models import User from snippets.serializers import UserSerializer class UserList(generics.ListAPIView): queryset = User.objects.all() serializer_class = UserSerializer class UserDetail(generics.RetrieveAPIView): queryset = User.objects.all() serializer_class = UserSerializer

配置url.py

url(r'^users/$', views.UserList.as_view()), url(r'^users/(?P[0-9]+)/$', views.UserDetail.as_view()), 关联User和Snippet

此时我们创建一个代码片段，是无法与用户关联的，因为用户信息是通过request获取的。因此我们需要重写snippet的view中perform_create()方法，这个方法允许我们在对象保存前进行相关操作，处理任何有request或requested URL传递进来的数据

修改views.py中的SnippetList类，添加perform_create()方法

def perform_create(self, serializer): serializer.save(owner=self.request.user)

如此，新建代码片段时，会添加owner字段，该字段存储了request中的用户信息

更新serializer

之前我们在views中的SnippetList类中添加了perform_create方法，保存了owner信息，因而也需要在serializer中的SnippetSerializer类中添加owner信息，同时将owner添加进Meta子类的fields字段中

class SnippetSerializer(serializers.ModelSerializer): owner = serializers.ReadOnlyField(source='owner.username') class Meta: model = Snippet fields = ('id', 'title', 'code', 'linenos', 'language', 'style', 'owner')

这里我们使用了ReadOnlyField类型，这个类型是只读的，不能被更新，和Charfield(read_only=True)是一样的效果

添加权限认证

我们希望只有登录的用户能够去增加代码片段，未登录则只有查看的权限，此时我们需要用到IsAuthenticatedOrReadOnly

修改views.py，为snippet的两个类views添加permission_classes字段

from rest_framework import permissions class SnippetList(generics.ListCreateAPIView): permission_classes = (permissions.IsAuthenticatedOrReadOnly, ) class SnippetDetail(generics.RetrieveUpdateDestroyAPIView): permission_classes = (permissions.IsAuthenticatedOrReadOnly, ) 添加登陆接口

修改项目的urls.py

urlpatterns = [ url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')) ]

r'^api-auth/'可以自定，namespace在Django 1.9 + 的版本中可以省略

运行Django服务器，访问your.domain/snippets/，点击右上角的登陆按钮，登陆我们之前创建的用户后，就可以创建代码片段了

创建完几个代码片段后，再访问your.domain/users/时，就可以看到每个用户创建了哪几个代码片段了

对象级别的权限

现在用户都可以对所有的snippets进行增删改查，我们要确保只有创建者可以对snippets进行改动或删除。

在snippetsapp中，创建permissions.py

from rest_framework import permissions class IsOwnerOrReadOnly(permissions.BasePermission): """ custom permission to only allow owners of an object to edit it """ def has_object_permission(self, request, view, obj): # allow all user to read if requesthod in permissions.SAFE_METHODS: return True # only allow owner to edit return obj.owner == request.user

在views.py中添加权限

from snippets.permissions import IsOwnerOrReadOnly class SnippetDetail(generics.RetrieveUpdateDestroyAPIView): permission_classes = (permissions.IsAuthenticatedOrReadOnly, IsOwnerOrReadOnly)

此时我们访问your.domain/snippets/1/，若用户未登录或登录用户不是该snippets的创建者，则只有读的权限，页面上表现为没有DELETE(上方中间)和PUT(右下角)按钮

通过接口进行权限认证

之前我们是通过浏览器页面进行登录的，而当我们直接使用接口去请求时，如果没有进行登录，而对某个snippet进行修改或是创建一个新的snippet，则会报错

(django_rest_framework) [root@localhost django_rest_framework]# http POST http://127.0.0.1:80/snippets/ code="hahah" HTTP/1.0 403 Forbidden Allow: GET, POST, HEAD, OPTIONS Content-Length: 58 Content-Type: application/json Date: Tue, 28 Nov 2017 14:56:18 GMT Server: WSGIServer/0.2 CPython/3.6.3 Vary: Accept, Cookie X-Frame-Options: SAMEORIGIN { "detail": "Authentication credentials were not provided." } (django_rest_framework) [root@localhost django_rest_framework]# http POST http://127.0.0.1:80/snippets/1/ code="hahah" HTTP/1.0 403 Forbidden Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS Content-Length: 58 Content-Type: application/json Date: Tue, 28 Nov 2017 14:56:26 GMT Server: WSGIServer/0.2 CPython/3.6.3 Vary: Accept, Cookie X-Frame-Options: SAMEORIGIN { "detail": "Authentication credentials were not provided." }

我们在发送请求时，提供用户名和密码，就可以进行操作了

(django_rest_framework) [root@localhost django_rest_framework]# http -a your_username:your_password POST http://127.0.0.1:80/snippets/ code="hahah" HTTP/1.0 201 Created Allow: GET, POST, HEAD, OPTIONS Content-Length: 104 Content-Type: application/json Date: Tue, 28 Nov 2017 14:58:10 GMT Server: WSGIServer/0.2 CPython/3.6.3 Vary: Accept, Cookie X-Frame-Options: SAMEORIGIN { "code": "hahah", "id": 4, "language": "python", "linenos": false, "owner": "song", "style": "friendly", "title": "" } 关于

本人是初学Django REST framework，Django REST framework 学习纪要系列文章是我从官网文档学习后的初步消化成果，如有错误，欢迎指正。

学习用代码Github仓库：shelmingsong/django_rest_framework

本文参考的官网文档：Tutorial 4: Authentication & Permissions

博客更新地址宋明耀的博客[ 第一时间更新 ]知乎专栏 Python Cookbook简书流月0的文章

【本文地址】

公司简介

联系我们