drf源码剖析----权限

点击查看代码

class APIView(View):
    permission_classes = api_settings.DEFAULT_PERMISSION_CLASSES

    def permission_denied(self, request, message=None, code=None):
        if request.authenticators and not request.successful_authenticator:
            raise exceptions.NotAuthenticated()
        raise exceptions.PermissionDenied(detail=message, code=code)

    def get_permissions(self):
        return [permission() for permission in self.permission_classes]

    def check_permissions(self, request):
# 循环获取每个权限类对象，并校验权限，有一个不通过则失败
        for permission in self.get_permissions():
            if not permission.has_permission(request, self):
                self.permission_denied(
                    request,
                    message=getattr(permission, 'message', None),
                    code=getattr(permission, 'code', None)
                )

    def initial(self, request, *args, **kwargs):
# 认证组件的流程，循环执行authenticate()方法，认证失败抛出异常；request.user/auth
        self.perform_authentication(request)  
# 权限组件的校验
        self.check_permissions(request)
        self.check_throttles(request)

    def dispatch(self, request, *args, **kwargs):
        self.args = args
        self.kwargs = kwargs
        request = self.initialize_request(request, *args, **kwargs)
        self.request = request
        self.headers = self.default_response_headers  # deprecate?

        try:
            self.initial(request, *args, **kwargs)
            if request.method.lower() in self.http_method_names:
                handler = getattr(self, request.method.lower(),
                                  self.http_method_not_allowed)
            else:
                handler = self.http_method_not_allowed

            response = handler(request, *args, **kwargs)

        except Exception as exc:
            response = self.handle_exception(exc)

        self.response = self.finalize_response(request, response, *args, **kwargs)
        return self.response

点击查看代码

class MyPermission1(BasePermission):
    message = {'status': False, 'error': 'NoMyPermission1'}

    def has_permission(self, request, view):
        print('MyPermission1')
        return True


class MyPermission2(BasePermission):
    message = {'status': False, 'error': 'NoMyPermission2'}

    def has_permission(self, request, view):
        print('MyPermission2')
        return False

class UserView(APIView):
    # permission_classes = []
    def get(self, request):
        print(request.user, request.auth)
        return Response({'status': True, 'user': request.user.username})
# 扩展
    def check_permissions(self, request):
        no_permission_objects = []
        for permission in self.get_permissions():
            if permission.has_permission(request, self):
                return
            else:
                no_permission_objects.append(permission)
        self.permission_denied(request, 
 message=getattr(no_permission_objects[0], 'message', None),
 code=getattr(no_permission_objects[0], 'code', None))