Tutorial 4: Authentication & Permissions

官方文档： https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/

概览

1. 本章目的

• Code snippets 能关联到创作者；
• 只有通过认证的用户才可以创建代码片段；
• 只有代码片段的创作者才可以更新或删除它；
• 没有通过登录认证的请求只有只读权限。

2. Adding information to our model

1. Add the following two fields to the Snippet model in models.py

from django.db import models
from pygments.lexers import get_all_lexers
from pygments.styles import get_all_styles

LEXERS = [item for item in get_all_lexers() if item[1]]
LANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS])
STYLE_CHOICES = sorted((item, item) for item in get_all_styles())

class Snippet(models.Model):
    created = models.DateTimeField(auto_now_add=True)
    title = models.CharField(max_length=100, blank=True, default='')
    code = models.TextField()
    linenos = models.BooleanField(default=False)
    language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100)
    style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)
    # the user who created the code snippet.
    owner = models.ForeignKey('auth.User',
                           related_name='snippets', 
                           on_delete=models.CASCADE)
    # It will be used to store the highlighted HTML.
    highlighted = models.TextField()
    class Meta:
        ordering = ('created',)

2. overwite save() function

from pygments.lexers import get_lexer_by_name
from pygments.formatters.html import HtmlFormatter
from pygments import highlight

def save(self, *args, **kwargs):
    """
    Use the `pygments` library to create a highlighted HTML
    representation of the code snippet.
    """
    lexer = get_lexer_by_name(self.language)
    linenos = 'table' if self.linenos else False
    options = {'title': self.title} if self.title else {}
    formatter = HtmlFormatter(style=self.style, linenos=linenos,
                              full=True, **options)
    self.highlighted = highlight(self.code, lexer, formatter)
    super(Snippet, self).save(*args, **kwargs)  

3. sync database

python manage.py makemigrations snippets
python manage.py migrate

4 .create a super user to test

python manage.py createsuperuser

3. Adding endpoints for our User models

1. Creating a new serializer in serializers.py

from django.contrib.auth.models import User

class UserSerializer(serializers.ModelSerializer):
    # 因为snippets字段没有在User中定义，
    # 它和User model 是一个反向的关系。因此我们需要显式的声明。
    snippets = serializers.PrimaryKeyRelatedField(many=True,
                     queryset=Snippet.objects.all())
    class Meta:
        model = User
        fields = ('id', 'username', 'snippets')

2. add views to views.py

"""
只允许对用户表进行查询而不能进行修改，因此是只读的
并且继承这查询的两个类就可以了。
"""
from django.contrib.auth.models import User

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

class UserDetail(generics.RetrieveAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

3. add those views into the urls.py

path('users/', views.UserList.as_view()),
path('users//', views.UserDetail.as_view()),

4. Associating Snippets with Users

1. overriding a .perform_create()

def perform_create(self, serializer):
    serializer.save(owner=self.request.user)

5. Updating our serializer

# add the following field to the serializers.py
owner = serializers.ReadOnlyField(source='owner.username')
# add 'owner' to the list of fields in the inner Meta class.

• source argument controls which attribute is used.
• ReadOnlyField is always read-only, it will be used for serialized representations, but will not be used for updating model instances when they are deserialized.
• ReadOnlyField == CharField(read_only=True)

6. Adding required permissions to views.

• DRF 有许多权限类用于控制哪些用户可以访问哪些view.
• 在这一节我们使用IsAuthenticatedOrReadOnly类来控制通过认证的用户有读写权限，没有通过的用户只有只读权限。

1. import the permissions class in the views module.

from rest_framework import permissions

2. add the following property to both the SnippetList and SnippetDetail view classes.

premission_classes = (permissions.IsAuthenticatedOrReadOnly,)

3. define the urls

from django.conf.urls import include
urlpatterns += [
    path('api-auth/', include('rest_framework.urls')),
]

• 现在打开浏览器会在右上脚看到“Login”，只有登录后才可以创建更新代码片段，如果没有登录成功则只有只读权限。

7. Object level permissions.

• 如果我们需要某些用户有所有代码片段的访问权限，但是只有创作者才可以更新或删除它。那我们需要针对不同的用户赋于不同的权限。因此我们需要自定义权限类。

1. create a new file permissions.py

from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user

• 自定义权限类：
  1. 需要继承permissions.BasePermission
  2. 需要重写 has_object_permission()

2. add custom permission to our snippet instance.

from snippets.permissions import IsOwnerOrReadOnly
permission_classes = (permissions.IsAuthenticatedOrReadOnly,
                      IsOwnerOrReadOnly,)

8. Authenticating with the API

• 登录前

http POST http://127.0.0.1:8000/snippets/ code="print(123)"

{
    "detail": "Authentication credentials were not provided."
}

• 登录后

http -a admin:password123 POST http://127.0.0.1:8000/snippets/ code="print(789)"

{
    "id": 1,
    "owner": "admin",
    "title": "foo",
    "code": "print(789)",
    "linenos": false,
    "language": "python",
    "style": "friendly"
}