【1127 | Day67】认证模块的局部配置(源码分析)
1、进入urls.py
文件
url(r'^login/', views.LoginCBV.as_view(),name = "login"),
2、然后执行LoginCBV
这个类的as_view
方法
LoginCBV这个类是我们自己的写的,但是LoginCBV类根本没有写as_view这个方法,那么我们该怎么办?
3、此时我们应该去找LoginCBV的父类,看父类是否as_view方法
4、先确认LoginCBV这个类的父类,很清楚,我们看到LoginCBV这个类的父类是APIView
这个类
class LoginCBV(APIView):
5、下面我们去APIView这个类中查找是否有as_view这个方法,我们在APIView这个类中找到了as_view方法,这个被classmethod修饰符修饰。
也就是说这个方法是一个类方法,由一个类本身就可以调用这个方法,这个时候大家再意会一下,在urls.py文件中,是不是一个类在调用as_view方法?
@classmethod
def as_view(cls, **initkwargs):
6、下面我们来具体看下as_view这个方法,到底做了什么事情?
下面是方法的源码:
@classmethod
def as_view(cls, **initkwargs):
"""
Store the original class on the view function.
This allows us to discover information about the view when we do URL
reverse lookups. Used for breadcrumb generation.
"""
if isinstance(getattr(cls, 'queryset', None), models.query.QuerySet):
def force_evaluation():
raise RuntimeError(
'Do not evaluate the `.queryset` attribute directly, '
'as the result will be cached and reused between requests. '
'Use `.all()` or call `.get_queryset()` instead.'
)
cls.queryset._fetch_all = force_evaluation
view = super(APIView, cls).as_view(**initkwargs)
view.cls = cls
view.initkwargs = initkwargs
# Note: session based authentication is explicitly CSRF validated,
# all other authentication is CSRF exempt.
return csrf_exempt(view)
我们来重点看下需要我们知道的,首先这个函数的返回值是一个view
方法
接着我们看下view这个方法,从这里我们可以看到,view就是执行APIView父类的as_view方法,下面我们接着去找APIView类的父类的as_view方法
7、进入APIView父类中,我们看到APIView类的父类是View
class APIView(View)
8、进入View类中,看下as_view这个方法到底了干了什么?
@classonlymethod
def as_view(cls, **initkwargs):
"""
Main entry point for a request-response process.
"""
for key in initkwargs:
if key in cls.http_method_names:
raise TypeError("You tried to pass in the %s method name as a "
"keyword argument to %s(). Don't do that."
% (key, cls.__name__))
if not hasattr(cls, key):
raise TypeError("%s() received an invalid keyword %r. as_view "
"only accepts arguments that are already "
"attributes of the class." % (cls.__name__, key))
def view(request, *args, **kwargs):
self = cls(**initkwargs)
if hasattr(self, 'get') and not hasattr(self, 'head'):
self.head = self.get
self.request = request
self.args = args
self.kwargs = kwargs
return self.dispatch(request, *args, **kwargs)
view.view_class = cls
view.view_initkwargs = initkwargs
# take name and docstring from class
update_wrapper(view, cls, updated=())
# and possible attributes set by decorators
# like csrf_exempt from dispatch
update_wrapper(view, cls.dispatch, assigned=())
return view
下面我们来分析这个方法的源码,方法的返回值是view这个函数,而view这个函数的返回值是self.dispatch
这个方法
9、下面我们首先要找到self.dispatch这个方法,然后在看下这个方法到底干了什么?
这个self到底是哪个类的实例呢?我们来梳理一下子类和父类的关系
LoginCBV(类)------->APIView(类)------->View(类)------>view(方法)-----》dispatch(方法)
那么我们就需要先从LoginCBV这个类中找dispatch方法,发现没有找到!
然后继续找LoginCBV这个类的父类,也就是APIView这个类,看这个类是否dispatch方法
10、我们最终在APIView这个类中找到了dispatch
方法,所以这里调的dispatch方法一定是APIView这个类的方法
def dispatch(self, request, *args, **kwargs):
"""
`.dispatch()` is pretty much the same as Django's regular dispatch,
but with extra hooks for startup, finalize, and exception handling.
"""
self.args = args
self.kwargs = kwargs
request = self.initialize_request(request, *args, **kwargs)
self.request = request
self.headers = self.default_response_headers # deprecate?
try:
self.initial(request, *args, **kwargs)
# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
else:
handler = self.http_method_not_allowed
response = handler(request, *args, **kwargs)
except Exception as exc:
response = self.handle_exception(exc)
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response
这个方法很重要,我们来看下
首先rest_framework处理后的request
然后看下self.initialize.request
方法干了什么,当然找这个方法到底在是哪个类的方法,也是要按照之前我们找dispatch方法的一样。
我这里就直接找到这个方法了,self.initialize.request
这个方法是APIView
这个类的方法
def initialize_request(self, request, *args, **kwargs):
"""
Returns the initial request object.
"""
parser_context = self.get_parser_context(request)
return Request(
request,
parsers=self.get_parsers(),
authenticators=self.get_authenticators(),
negotiator=self.get_content_negotiator(),
parser_context=parser_context
)
这个函数返回一个Request
的实例对象,然后我们在看下Request这个类的,Request类的源码如下 :
class Request(object):
"""
Wrapper allowing to enhance a standard `HttpRequest` instance.
Kwargs:
- request(HttpRequest). The original request instance.
- parsers_classes(list/tuple). The parsers to use for parsing the
request content.
- authentication_classes(list/tuple). The authentications used to try
authenticating the request's user.
"""
def __init__(self, request, parsers=None, authenticators=None,
negotiator=None, parser_context=None):
assert isinstance(request, HttpRequest), (
'The `request` argument must be an instance of '
'`django.http.HttpRequest`, not `{}.{}`.'
.format(request.__class__.__module__, request.__class__.__name__)
)
self._request = request
self.parsers = parsers or ()
self.authenticators = authenticators or ()
self.negotiator = negotiator or self._default_negotiator()
self.parser_context = parser_context
self._data = Empty
self._files = Empty
self._full_data = Empty
self._content_type = Empty
self._stream = Empty
if self.parser_context is None:
self.parser_context = {}
self.parser_context['request'] = self
self.parser_context['encoding'] = request.encoding or settings.DEFAULT_CHARSET
force_user = getattr(request, '_force_auth_user', None)
force_token = getattr(request, '_force_auth_token', None)
if force_user is not None or force_token is not None:
forced_auth = ForcedAuthentication(force_user, force_token)
self.authenticators = (forced_auth,)
不知道大家是否明白这段代码的意思
如果authenticators
为真,则self.authenticators
等于authenticators
;
如果authenticators
为假,则self.authenticators
等于一个空的元组
self.authenticators = authenticators or ()
我们这里要看下实例化Request这个类的时候,authenticators这个参数传递的是什么?
我们在回到initlize_request
方法的返回值,下面我们要来看下self.get_authenticators()
方法是在做什么
下面看下self.get_authenticators()这个方法的源码:
从字面的我们就可以理解,self.authentication_classes
是一个认证的类的列表。
auth()
是每个类的实例对象,这个方法的返回值就是列表,列表中的元素就是每个认证类的实例对象。
这里先剧透一下,authentication_class这个属性是由我们自己的配置的
def get_authenticators(self):
"""
Instantiates and returns the list of authenticators that this view can use.
"""
return [auth() for auth in self.authentication_classes]
到这里,APIView类中的dispatch方法的initialize_request条线就做完了,就是给我们返回了一个新的Request类的实例,这个实例的authenticators就包括我们认证组件相关的类的实例对象
下面我们继续往下走APIView类的dispatch
方法,走self.initial
方法
11、下面先看下initial方法的源码
def initial(self, request, *args, **kwargs):
"""
Runs anything that needs to occur prior to calling the method handler.
"""
self.format_kwarg = self.get_format_suffix(**kwargs)
# Perform content negotiation and store the accepted info on the request
neg = self.perform_content_negotiation(request)
request.accepted_renderer, request.accepted_media_type = neg
# Determine the API version, if versioning is in use.
version, scheme = self.determine_version(request, *args, **kwargs)
request.version, request.versioning_scheme = version, scheme
# Ensure that the incoming request is permitted
self.perform_authentication(request)
self.check_permissions(request)
self.check_throttles(request)
12、我们这里来看下认证组件干了什么事情?
进入认证组件perform_authentication
方法,只返回一个request.user
def perform_authentication(self, request):
"""
Perform authentication on the incoming request.
Note that if you override this and simply 'pass', then authentication
will instead be performed lazily, the first time either
`request.user` or `request.auth` is accessed.
"""
request.user
13、莫名其妙,返回一个实例的属性?
其实这里大家不要忘记了,如果一个类的方法被property修饰了,调用这个方法的就可以使用属性的方式调用,而不用加括号了。
如果大家不清楚,可以看这篇博客:https://www.cnblogs.com/bainianminguo/p/9950607.html
14、下面我们看下request.user
到底是什么?
我们先要知道request
是什么?
看下面的截图
在dispatch
方法中initial
方法的参数有一个request,而这个request就是initialize_request
的返回值,而initialize_request的返回值就是Request
的实例对象
这个request有一个user的属性或者方法,我们下面来找下
15、下面我们来看下request.user
到底是个什么东西?
我们在Request类中确实找到了user这个方法,这个方法也被property装饰器装饰了,所以也印证了我们之前的猜测了,request.user
是一个被property修饰的方法
@property
def user(self):
"""
Returns the user associated with the current request, as authenticated
by the authentication classes provided to the request.
"""
if not hasattr(self, '_user'):
with wrap_attributeerrors():
self._authenticate()
return self._user
16、然后看下self._authenticate
方法
def _authenticate(self):
"""
Attempt to authenticate the request using each authentication instance
in turn.
"""
for authenticator in self.authenticators:
try:
user_auth_tuple = authenticator.authenticate(self)
except exceptions.APIException:
self._not_authenticated()
raise
if user_auth_tuple is not None:
self._authenticator = authenticator
self.user, self.auth = user_auth_tuple
return
self._not_authenticated()
如果符合规范,则返回None
如果不符合规范,则raise抛出错误
到这里,我们就认证组件的源码梳理完了。