REST framework组件-认证、权限、限制

认证

定义user表和token表

class UserInfo(models.Model):
    username = models.CharField(verbose_name='用户名', max_length=32)
    pwd = models.CharField(max_length=64)
    type = models.SmallIntegerField(
        choices=((1, '普通用户'), (2, 'VIP用户')),
        default=1
    )


class UserToken(models.Model):
    user = models.OneToOneField(to='UserInfo',on_delete=models.CASCADE)
    token = models.CharField(max_length=64)

定义一个登录视图

class AuthView(APIView):
    def post(self, request, *args, **kwargs):
        ret = {'code': 1000}
        username = request.data.get('username')
        pwd = request.data.get('pwd')
        print(username, pwd)
        user = models.UserInfo.objects.filter(username=username, pwd=pwd).first()
        if not user:
            ret['code'] = 1001
            ret['error'] = '用户名或密码错误'
        else:
            token = uuid.uuid4()
            models.UserToken.objects.update_or_create(user=user, defaults={'token': token})
            ret['token'] = str(token)
        return Response(ret)

定义一个认证类

class MyAuth(BaseAuthentication):
    def authenticate(self, request):
        if request.method in ["POST", "PUT", "DELETE"]: #认证post等方法
            request_token = request.data.get("token", None)
        elif request.method in ['GET']:     #认证get方法
            request_token = request.query_params.get('token', None)
        else:
            return None, None
        if not request_token:
            raise AuthenticationFailed('缺少token')
        token_obj = models.UserToken.objects.filter(token=request_token).first()
        if not token_obj:
            raise AuthenticationFailed('无效的token')
        return token_obj.user.username, token_obj

视图级别认证

class BookViewSet(viewsets.ModelViewSet):
    #认证类
    authentication_classes = [MyAuth, ]

    queryset = Book.objects.all()
    serializer_class = BookSerializers

全局级别认证

# 在settings.py中配置
REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": ["api.auth.auth.MyAuth", ]
}

权限

自定义一个权限类

class MyPermission(BasePermission):
    message = 'VIP用户才能访问'
    def has_permission(self, request, view):
        """
        自定义权限只有VIP用户才能访问
        """
        # 因为在进行权限判断之前已经做了认证判断,所以这里可以直接拿到request.user
        if request.user and request.user.type == 2:  # 如果是VIP用户
            return True
        else:
            return False

视图级别配置

class BookViewsSet(viewsets.ModelViewSet): 
    authentication_classes = [MyAuth, ]
    # 权限
    permission_classes = [MyPermission, ]

    queryset = Book.objects.all()
    serializer_class = BookModelSerializer

全局级别设置

# 在settings.py中设置rest framework相关配置项
REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": ["api.auth.auth.MyAuth", ],
    "DEFAULT_PERMISSION_CLASSES": ["api.auth.auth.MyPermission", ]
}

限制(待续)

posted @ 2018-09-08 20:59  gloomysun  阅读(223)  评论(0编辑  收藏  举报