framework —— auth认证+权限+限流==》 联合使用
framework —— auth认证+权限+限流==》 联合使用
1.业务需求
a. 对匿名用户进行限制,每个用户1分钟允许访问10次
b. 对匿名用户进行限制,每个用户1分钟允许访问5次,登录的用户1分钟访问10次,vip用户1分钟允许访问20次
2.目录结构
3.urls.py
4.app04/views.py:
from django.shortcuts import render from rest_framework.response import Response from rest_framework.views import APIView from rest_framework.throttling import BaseThrottle,SimpleRateThrottle from rest_framework import exceptions from rest_framework.authentication import BaseAuthentication from app02 import models # Create your views here. #用户认证 class MyAuthentication(BaseAuthentication): """ All authentication classes should extend BaseAuthentication. """ def authenticate(self, request): """ Authenticate the request and return a two-tuple of (user, token). """ token = request.query_params.get('token') obj = models.Userinfo.objects.filter(token=token).first() if obj: return (obj.username,obj) return None def authenticate_header(self, request): """ Return a string to be used as the value of the `WWW-Authenticate` header in a `401 Unauthenticated` response, or `None` if the authentication scheme should return `403 Permission Denied` responses. """ pass #用户权限控制 class MyPermission(object): message = "无权访问" def has_permission(self,request,view): if request.user: # print(request.user) return True return False #管理员权限控制 class AdminPermission(object): message = "无权访问" def has_permission(self,request,view): if request.user == 'zxc': return True return False #匿名用户 class AnonThrottle(SimpleRateThrottle): scope = 'zxc_anon' def get_cache_key(self, request, view): #返回None,就不限制 #登录用户不限制 if request.user: return None #匿名用户就需要限制了 return self.get_ident(request) #登录用户 class UserThrottle(SimpleRateThrottle): scope = 'zxc_user' def get_cache_key(self, request, view): #登录用户 if request.user: return request.user return None #展示列表,无需登录就可以访问 class IndexView(APIView): authentication_classes = [MyAuthentication,] permission_classes = [] throttle_classes = [AnonThrottle,UserThrottle] def get(self,request,*args,**kwargs): self.dispatch return Response('访问首页') #展示列表,必须登录之后才可以访问 class IndexView(APIView): authentication_classes = [MyAuthentication,] permission_classes = [MyPermission,] throttle_classes = [AnonThrottle,UserThrottle] def get(self,request,*args,**kwargs): self.dispatch return Response('访问首页')
5.settings.py:
6.用户数据
验证:
登录用户:
登录超过10次就无法访问,给限制了
匿名用户一样,登录5次之后就给限制了。管理员没加进来,原理一样。