DRF - 权限

在 app 目录下创建 utils 目录，并创建 auth.py 和 permission.py 文件

auth.py：

from rest_framework.authentication import BaseAuthentication
from drf import models
from rest_framework.exceptions import AuthenticationFailed


# 用于全局认证
class GlobalAuthentication(BaseAuthentication):
    def authenticate(self, request):
        token = request._request.GET.get("token")
        token_obj = models.UserToken.objects.filter(token=token).first()
        if not token_obj:
            raise AuthenticationFailed("用户认证失败")
        return (token_obj.user, None)

    def authenticate_header(self, request):
        pass

permission.py：

from rest_framework.permissions import BasePermission


# 全局权限类
class GlobalPermission(BasePermission):
    # message 为没有权限时候的提示信息，也可以直接使用默认
    message = "超级用户权限才能访问"

    def has_permission(self, request, view):
        if request.user.user_type == 3:
            return True
        return False


# 局部权限类
class MyPermission(BasePermission):
    message = "管理员及以上权限才能访问"

    def has_permission(self, request, view):
        if request.user.user_type >= 2:
            return True
        return False

返回 True 即为有权限，返回 False 即为无权限

settings.py 中进行配置：

REST_FRAMEWORK = {
    # 全局使用的认证类
    "DEFAULT_AUTHENTICATION_CLASSES": ["drf.utils.auth.GlobalAuthentication", ],
    # 设置 request.user
    "UNAUTHENTICATED_USER": None,
    # 设置 request.auth
    "UNAUTHENTICATED_TOKEN": None,
    # 全局使用的权限类
    "DEFAULT_PERMISSION_CLASSES": ["drf.utils.permission.GlobalPermission",],
}

views.py：

from django.http import JsonResponse
from rest_framework.views import APIView
from drf.utils.permission import MyPermission


ORDER_DICT = {
    1: {
        "commodity": "Phone",
        "price": 3600,
        "date": "2021-01-03",
    },
    2: {
        "commodity": "Computer",
        "price": 6700,
        "date": "2021-01-05",
    },
}


class OrderView(APIView):
    """
    查看订单
    """

    def get(self, request, *args, **kwargs):
        response = {"code": 1000, "msg": None, "data": None}
        try:
            response["data"] = ORDER_DICT
        except Exception as e:
            pass
        return JsonResponse(response)


USER_DICT = {
    1: {
        "name": "John",
        "password": "John123",
        "phone": "20210103",
    },
    2: {
        "name": "Jack",
        "password": "Jack456",
        "phone": "20210105",
    },
}


class UserinfoView(APIView):
    """
    查看用户信息
    """

    # 覆盖全局权限类
    permission_classes = [MyPermission, ]

    def get(self, request, *args, **kwargs):
        response = {"code": 1000, "msg": None, "data": None}
        try:
            response["data"] = USER_DICT
        except Exception as e:
            pass
        return JsonResponse(response)

UserInfo 表中的数据：

UserToken 表中的数据：

访问 /order/?token=b9d56bfaeba57885b63dd0081c97c1d2，即为 admin 用户，它为管理员，但不是超级用户

访问 /order/?token=j54f28hgrtyj977439j54db7494i90l5，对应的为超级用户，符合规定的权限

访问 /userinfo/?token=e3g34hyrdrw49766h86tf4109f56t3f7，对应的为普通用户，而不是管理员及以上级别的权限

访问 /userinfo/?token=b9d56bfaeba57885b63dd0081c97c1d2，对应管理员用户

rest framework 权限中有一个内置类为 AllowAny

即允许所有权限，如果没有设置权限，这个是默认的权限