(資料圖片僅供參考)

DRF的權(quán)限組件(源碼分析)

1. 創(chuàng)建用戶表

from django.db import models# Create your models here.class UserInfo(models.Model):    role_choice = ((1, "CEO"), (2, "CTO"), (3, "CFO"))    role = models.SmallIntegerField(verbose_name="類型", choices=role_choice, default=1)    username = models.CharField(verbose_name="用戶名", max_length=32)    password = models.CharField(verbose_name="密碼", max_length=32)    token = models.CharField(verbose_name="TOKEN", max_length=64, null=True, blank=True)

2. 自定義權(quán)限類

from rest_framework.permissions import BasePermissionclass PermissionA(BasePermission):    message = {"code": 1003, "data": "無權(quán)訪問"}    def has_permission(self, request, view):        if request.user.role == 2:            return True        return False    def has_object_permission(self, request, view, obj):        return True

3. 視圖函數(shù)中添加認證

• 局部配置(views.py)

class UserView(APIView):    permission_classes = [PermissionA, ]  # role權(quán)限        def get(self, request):        ...

• 全局配置(settings.py)

REST_FRAMEWORK = {    # 權(quán)限    "DEFAULT_PERMISSION_CLASSES": ["app01.permission.PermissionA", ]}

4. 多個權(quán)限類

當(dāng)開發(fā)過程中需要用戶同時具備多個權(quán)限（缺一不可）時，可以用多個權(quán)限類來實現(xiàn)。

權(quán)限組件內(nèi)部處理機制：按照列表的順序逐一執(zhí)行 has_permission方法，如果返回True，則繼續(xù)執(zhí)行后續(xù)的權(quán)限類；如果返回None或False，則拋出權(quán)限異常并停止后續(xù)權(quán)限類的執(zhí)行。

# models.pyfrom django.db import modelsclass Role(models.Model):    """ 角色表 """    title = models.CharField(verbose_name="名稱", max_length=32)class UserInfo(models.Model):    """ 用戶表 """    username = models.CharField(verbose_name="用戶名", max_length=32)    password = models.CharField(verbose_name="密碼", max_length=64)    token = models.CharField(verbose_name="TOKEN", max_length=64, null=True, blank=True)    roles = models.ManyToManyField(verbose_name="角色", to="Role")

# urls.pyfrom django.urls import path, re_path, includefrom app01 import viewsurlpatterns = [    path("api/auth/", views.AuthView.as_view()),    path("api/order/", views.OrderView.as_view()),]

# views.pyimport uuidfrom rest_framework.views import APIViewfrom rest_framework.request import Requestfrom rest_framework.response import Responsefrom rest_framework.authentication import BaseAuthenticationfrom rest_framework.permissions import BasePermissionfrom rest_framework.exceptions import AuthenticationFailedfrom app01 import modelsclass AuthView(APIView):    """ 用戶登錄認證 """    def post(self, request, *args, **kwargs):        print(request.data)  # {"username": "wupeiqi", "password": "123"}        username = request.data.get("username")        password = request.data.get("password")        user_object = models.UserInfo.objects.filter(username=username, password=password).first()        if not user_object:            return Response({"code": 1000, "data": "用戶名或密碼錯誤"})        token = str(uuid.uuid4())        user_object.token = token        user_object.save()        return Response({"code": 0, "data": {"token": token, "name": username}})class TokenAuthentication(BaseAuthentication):    def authenticate(self, request):        token = request.query_params.get("token")        if not token:            raise AuthenticationFailed({"code": 1002, "data": "認證失敗"})        user_object = models.UserInfo.objects.filter(token=token).first()        if not user_object:            raise AuthenticationFailed({"code": 1002, "data": "認證失敗"})        return user_object, token    def authenticate_header(self, request):        return "Bearer realm="API""class PermissionA(BasePermission):    message = {"code": 1003, "data": "無權(quán)訪問"}    def has_permission(self, request, view):        exists = request.user.roles.filter(title="員工").exists()        if exists:            return True        return False    def has_object_permission(self, request, view, obj):        return Trueclass PermissionB(BasePermission):    message = {"code": 1003, "data": "無權(quán)訪問"}    def has_permission(self, request, view):        exists = request.user.roles.filter(title="主管").exists()        if exists:            return True        return False    def has_object_permission(self, request, view, obj):        return Trueclass OrderView(APIView):    authentication_classes = [TokenAuthentication, ]    permission_classes = [PermissionA, PermissionA]    def get(self, request, *args, **kwargs):        return Response({"code": 0, "data": {"user": None, "list": [1, 2, 3]}})class PayView(APIView):    authentication_classes = [TokenAuthentication, ]    permission_classes = [PermissionA, ]    def get(self, request, *args, **kwargs):        return Response({"code": 0, "data": "數(shù)據(jù)..."})

5. 關(guān)于has_object_permission

后期補充...

6. 源碼分析

第三步前面的部分執(zhí)行流程和前兩篇文章是一樣的. 這里就不過多贅述了