官方文档: https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/
概览
1. 本章目的
- Code snippets 能关联到创作者;
- 只有通过认证的用户才可以创建代码片段;
- 只有代码片段的创作者才可以更新或删除它;
- 没有通过登录认证的请求只有只读权限。
2. Adding information to our model
1. Add the following two fields to the Snippet model in models.py
from django.db import models
from pygments.lexers import get_all_lexers
from pygments.styles import get_all_styles
LEXERS = [item for item in get_all_lexers() if item[1]]
LANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS])
STYLE_CHOICES = sorted((item, item) for item in get_all_styles())
class Snippet(models.Model):
created = models.DateTimeField(auto_now_add=True)
title = models.CharField(max_length=100, blank=True, default='')
code = models.TextField()
linenos = models.BooleanField(default=False)
language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100)
style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)
# the user who created the code snippet.
owner = models.ForeignKey('auth.User',
related_name='snippets',
on_delete=models.CASCADE)
# It will be used to store the highlighted HTML.
highlighted = models.TextField()
class Meta:
ordering = ('created',)
2. overwite save() function
from pygments.lexers import get_lexer_by_name
from pygments.formatters.html import HtmlFormatter
from pygments import highlight
def save(self, *args, **kwargs):
"""
Use the `pygments` library to create a highlighted HTML
representation of the code snippet.
"""
lexer = get_lexer_by_name(self.language)
linenos = 'table' if self.linenos else False
options = {'title': self.title} if self.title else {}
formatter = HtmlFormatter(style=self.style, linenos=linenos,
full=True, **options)
self.highlighted = highlight(self.code, lexer, formatter)
super(Snippet, self).save(*args, **kwargs)
3. sync database
python manage.py makemigrations snippets
python manage.py migrate
4 .create a super user to test
python manage.py createsuperuser
3. Adding endpoints for our User models
1. Creating a new serializer in serializers.py
from django.contrib.auth.models import User
class UserSerializer(serializers.ModelSerializer):
# 因为snippets字段没有在User中定义,
# 它和User model 是一个反向的关系。因此我们需要显式的声明。
snippets = serializers.PrimaryKeyRelatedField(many=True,
queryset=Snippet.objects.all())
class Meta:
model = User
fields = ('id', 'username', 'snippets')
2. add views to views.py
"""
只允许对用户表进行查询而不能进行修改,因此是只读的
并且继承这查询的两个类就可以了。
"""
from django.contrib.auth.models import User
class UserList(generics.ListAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer
class UserDetail(generics.RetrieveAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer
3. add those views into the urls.py
path('users/', views.UserList.as_view()),
path('users/<int:pk>/', views.UserDetail.as_view()),
4. Associating Snippets with Users
1. overriding a .perform_create()
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
5. Updating our serializer
# add the following field to the serializers.py
owner = serializers.ReadOnlyField(source='owner.username')
# add 'owner' to the list of fields in the inner Meta class.
- source argument controls which attribute is used.
- ReadOnlyField is always read-only, it will be used for serialized representations, but will not be used for updating model instances when they are deserialized.
- ReadOnlyField == CharField(read_only=True)
6. Adding required permissions to views.
- DRF 有许多权限类用于控制哪些用户可以访问哪些view.
- 在这一节我们使用IsAuthenticatedOrReadOnly类来控制通过认证的用户有读写权限,没有通过的用户只有只读权限。
1. import the permissions class in the views module.
from rest_framework import permissions
2. add the following property to both the SnippetList and SnippetDetail view classes.
premission_classes = (permissions.IsAuthenticatedOrReadOnly,)
3. define the urls
from django.conf.urls import include
urlpatterns += [
path('api-auth/', include('rest_framework.urls')),
]
- 现在打开浏览器会在右上脚看到“Login”,只有登录后才可以创建更新代码片段,如果没有登录成功则只有只读权限。
7. Object level permissions.
- 如果我们需要某些用户有所有代码片段的访问权限,但是只有创作者才可以更新或删除它。那我们需要针对不同的用户赋于不同的权限。因此我们需要自定义权限类。
1. create a new file permissions.py
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Write permissions are only allowed to the owner of the snippet.
return obj.owner == request.user
- 自定义权限类:
- 需要继承permissions.BasePermission
- 需要重写 has_object_permission()
2. add custom permission to our snippet instance.
from snippets.permissions import IsOwnerOrReadOnly
permission_classes = (permissions.IsAuthenticatedOrReadOnly,
IsOwnerOrReadOnly,)
8. Authenticating with the API
- 登录前
http POST http://127.0.0.1:8000/snippets/ code="print(123)"
{
"detail": "Authentication credentials were not provided."
}
- 登录后
http -a admin:password123 POST http://127.0.0.1:8000/snippets/ code="print(789)"
{
"id": 1,
"owner": "admin",
"title": "foo",
"code": "print(789)",
"linenos": false,
"language": "python",
"style": "friendly"
}