DRF - 权限

在 app 目录下创建 utils 目录,并创建 auth.py 和 permission.py 文件

auth.py:

from rest_framework.authentication import BaseAuthentication
from drf import models
from rest_framework.exceptions import AuthenticationFailed


# 用于全局认证
class GlobalAuthentication(BaseAuthentication):
    def authenticate(self, request):
        token = request._request.GET.get("token")
        token_obj = models.UserToken.objects.filter(token=token).first()
        if not token_obj:
            raise AuthenticationFailed("用户认证失败")
        return (token_obj.user, None)

    def authenticate_header(self, request):
        pass

permission.py:

from rest_framework.permissions import BasePermission


# 全局权限类
class GlobalPermission(BasePermission):
    # message 为没有权限时候的提示信息,也可以直接使用默认
    message = "超级用户权限才能访问"

    def has_permission(self, request, view):
        if request.user.user_type == 3:
            return True
        return False


# 局部权限类
class MyPermission(BasePermission):
    message = "管理员及以上权限才能访问"

    def has_permission(self, request, view):
        if request.user.user_type >= 2:
            return True
        return False

返回 True 即为有权限,返回 False 即为无权限

settings.py 中进行配置:

REST_FRAMEWORK = {
    # 全局使用的认证类
    "DEFAULT_AUTHENTICATION_CLASSES": ["drf.utils.auth.GlobalAuthentication", ],
    # 设置 request.user
    "UNAUTHENTICATED_USER": None,
    # 设置 request.auth
    "UNAUTHENTICATED_TOKEN": None,
    # 全局使用的权限类
    "DEFAULT_PERMISSION_CLASSES": ["drf.utils.permission.GlobalPermission",],
}

views.py:

from django.http import JsonResponse
from rest_framework.views import APIView
from drf.utils.permission import MyPermission


ORDER_DICT = {
    1: {
        "commodity": "Phone",
        "price": 3600,
        "date": "2021-01-03",
    },
    2: {
        "commodity": "Computer",
        "price": 6700,
        "date": "2021-01-05",
    },
}


class OrderView(APIView):
    """
    查看订单
    """

    def get(self, request, *args, **kwargs):
        response = {"code": 1000, "msg": None, "data": None}
        try:
            response["data"] = ORDER_DICT
        except Exception as e:
            pass
        return JsonResponse(response)


USER_DICT = {
    1: {
        "name": "John",
        "password": "John123",
        "phone": "20210103",
    },
    2: {
        "name": "Jack",
        "password": "Jack456",
        "phone": "20210105",
    },
}


class UserinfoView(APIView):
    """
    查看用户信息
    """

    # 覆盖全局权限类
    permission_classes = [MyPermission, ]

    def get(self, request, *args, **kwargs):
        response = {"code": 1000, "msg": None, "data": None}
        try:
            response["data"] = USER_DICT
        except Exception as e:
            pass
        return JsonResponse(response)

UserInfo 表中的数据:

UserToken 表中的数据:

访问 /order/?token=b9d56bfaeba57885b63dd0081c97c1d2,即为 admin 用户,它为管理员,但不是超级用户

访问 /order/?token=j54f28hgrtyj977439j54db7494i90l5,对应的为超级用户,符合规定的权限

访问 /userinfo/?token=e3g34hyrdrw49766h86tf4109f56t3f7,对应的为普通用户,而不是管理员及以上级别的权限

访问 /userinfo/?token=b9d56bfaeba57885b63dd0081c97c1d2,对应管理员用户

rest framework 权限中有一个内置类为 AllowAny

即允许所有权限,如果没有设置权限,这个是默认的权限

posted @ 2021-01-16 14:33  Sch01aR#  阅读(118)  评论(0)    收藏  举报