django rest framework之权限的源码流程剖析
视图类:
1 class UserViewset(BaseView): 2 ''' 3 create: 4 创建用户 5 retrieve: 6 7 ''' 8 queryset = User.objects.all() 9 authentication_classes = (JSONWebTokenAuthentication, authentication.SessionAuthentication) 10 def get_serializer_class(self): 11 self.dispatch 12 if self.action == "retrieve": 13 return UserDetailSerializer 14 elif self.action == "create": 15 return UserRegSerializer 16 17 return UserDetailSerializer 18 19 def get_permissions(self): #添加权限类(根据用户请求方法不同设置不同的权限类) 20 if self.action == "retrieve": 21 return [permissions.IsAuthenticated()] 22 elif self.action == "create": 23 return [] 24 25 return [] 26 27 def create(self, request, *args, **kwargs): 28 serializer = self.get_serializer(data=request.data) 29 serializer.is_valid(raise_exception=True) 30 user = self.perform_create(serializer) 31 re_dict = serializer.data 32 payload = jwt_payload_handler(user) 33 re_dict["token"] = jwt_encode_handler(payload) 34 re_dict["name"] = user.name if user.name else user.username 35 36 headers = self.get_success_headers(serializer.data) 37 return Response(re_dict, status=status.HTTP_201_CREATED, headers=headers) 38 39 def get_object(self): 40 return self.request.user 41 42 def perform_create(self, serializer): 43 return serializer.save()
通认证的流程一样都在dispatch中调用initial函数
1 def initial(self, request, *args, **kwargs): 2 """ 3 Runs anything that needs to occur prior to calling the method handler. 4 """ 5 self.format_kwarg = self.get_format_suffix(**kwargs) 6 7 # Perform content negotiation and store the accepted info on the request 8 neg = self.perform_content_negotiation(request) 9 request.accepted_renderer, request.accepted_media_type = neg 10 11 # Determine the API version, if versioning is in use. 12 version, scheme = self.determine_version(request, *args, **kwargs) 13 request.version, request.versioning_scheme = version, scheme 14 15 # Ensure that the incoming request is permitted 16 self.perform_authentication(request) 17 self.check_permissions(request) #检查权限 18 self.check_throttles(request)
在check_permissions函数:
1 def check_permissions(self, request): 2 """ 3 Check if the request should be permitted. 4 Raises an appropriate exception if the request is not permitted. 5 """ 6 for permission in self.get_permissions(): #循环在视图类中添加的权限类 7 if not permission.has_permission(request, self): #调用权限类的has_permission方法进行验证
8 self.permission_denied( 9 request, message=getattr(permission, 'message', None) 10 ) #认证失败就返回响应
我自定义的权限类:
1 class IsOwnerOrReadOnly(permissions.BasePermission): 2 """ 3 Custom permission to only allow owners of an object to edit it. 4 """ 5 6 def has_object_permission(self, request, view, obj): 7 # Read permissions are allowed to any request, 8 # so we'll always allow GET, HEAD or OPTIONS requests. 9 if request.method in permissions.SAFE_METHODS: 10 return True 11 12 # Write permissions are only allowed to the owner of the snippet. 13 14 return 'permission' in self.get_user_permissions(request) 15 16 17 def get_user_permissions(self,request): 18 group_list = request.user.groups.all() 19 permissions = [] 20 for group in group_list: 21 for permission in group.permissions: 22 permissions.append(permission.name) 23 return permissions