官方文檔： https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/

概覽

1. 本章目的

• Code snippets 能關聯(lián)到創(chuàng)作者；
• 只有通過認證的用戶才可以創(chuàng)建代碼片段；
• 只有代碼片段的創(chuàng)作者才可以更新或刪除它；
• 沒有通過登錄認證的請求只有只讀權限。

2. Adding information to our model

1. Add the following two fields to the Snippet model in models.py

from django.db import models
from pygments.lexers import get_all_lexers
from pygments.styles import get_all_styles

LEXERS = [item for item in get_all_lexers() if item[1]]
LANGUAGE_CHOICES = sorted([(item[1][0], item[0]) for item in LEXERS])
STYLE_CHOICES = sorted((item, item) for item in get_all_styles())

class Snippet(models.Model):
    created = models.DateTimeField(auto_now_add=True)
    title = models.CharField(max_length=100, blank=True, default='')
    code = models.TextField()
    linenos = models.BooleanField(default=False)
    language = models.CharField(choices=LANGUAGE_CHOICES, default='python', max_length=100)
    style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)
    # the user who created the code snippet.
    owner = models.ForeignKey('auth.User',
                           related_name='snippets', 
                           on_delete=models.CASCADE)
    # It will be used to store the highlighted HTML.
    highlighted = models.TextField()
    class Meta:
        ordering = ('created',)

2. overwite save() function

from pygments.lexers import get_lexer_by_name
from pygments.formatters.html import HtmlFormatter
from pygments import highlight

def save(self, *args, **kwargs):
    """
    Use the `pygments` library to create a highlighted HTML
    representation of the code snippet.
    """
    lexer = get_lexer_by_name(self.language)
    linenos = 'table' if self.linenos else False
    options = {'title': self.title} if self.title else {}
    formatter = HtmlFormatter(style=self.style, linenos=linenos,
                              full=True, **options)
    self.highlighted = highlight(self.code, lexer, formatter)
    super(Snippet, self).save(*args, **kwargs)  

3. sync database

python manage.py makemigrations snippets
python manage.py migrate

4 .create a super user to test

python manage.py createsuperuser

3. Adding endpoints for our User models

1. Creating a new serializer in serializers.py

from django.contrib.auth.models import User

class UserSerializer(serializers.ModelSerializer):
    # 因為snippets字段沒有在User中定義，
    # 它和User model 是一個反向的關系。因此我們需要顯式的聲明。
    snippets = serializers.PrimaryKeyRelatedField(many=True,
                     queryset=Snippet.objects.all())
    class Meta:
        model = User
        fields = ('id', 'username', 'snippets')

2. add views to views.py

"""
只允許對用戶表進行查詢而不能進行修改，因此是只讀的
并且繼承這查詢的兩個類就可以了。
"""
from django.contrib.auth.models import User

class UserList(generics.ListAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

class UserDetail(generics.RetrieveAPIView):
    queryset = User.objects.all()
    serializer_class = UserSerializer

3. add those views into the urls.py

path('users/', views.UserList.as_view()),
path('users/<int:pk>/', views.UserDetail.as_view()),

4. Associating Snippets with Users

1. overriding a .perform_create()

def perform_create(self, serializer):
    serializer.save(owner=self.request.user)

5. Updating our serializer

# add the following field to the serializers.py
owner = serializers.ReadOnlyField(source='owner.username')
# add 'owner' to the list of fields in the inner Meta class.

• source argument controls which attribute is used.
• ReadOnlyField is always read-only, it will be used for serialized representations, but will not be used for updating model instances when they are deserialized.
• ReadOnlyField == CharField(read_only=True)

6. Adding required permissions to views.

• DRF 有許多權限類用于控制哪些用戶可以訪問哪些view.
• 在這一節(jié)我們使用IsAuthenticatedOrReadOnly類來控制通過認證的用戶有讀寫權限，沒有通過的用戶只有只讀權限。

1. import the permissions class in the views module.

from rest_framework import permissions

2. add the following property to both the SnippetList and SnippetDetail view classes.

premission_classes = (permissions.IsAuthenticatedOrReadOnly,)

3. define the urls

from django.conf.urls import include
urlpatterns += [
    path('api-auth/', include('rest_framework.urls')),
]

• 現(xiàn)在打開瀏覽器會在右上腳看到“Login”，只有登錄后才可以創(chuàng)建更新代碼片段，如果沒有登錄成功則只有只讀權限。

7. Object level permissions.

• 如果我們需要某些用戶有所有代碼片段的訪問權限，但是只有創(chuàng)作者才可以更新或刪除它。那我們需要針對不同的用戶賦于不同的權限。因此我們需要自定義權限類。

1. create a new file permissions.py

from rest_framework import permissions


class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """

    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        # so we'll always allow GET, HEAD or OPTIONS requests.
        if request.method in permissions.SAFE_METHODS:
            return True

        # Write permissions are only allowed to the owner of the snippet.
        return obj.owner == request.user

• 自定義權限類：
  1. 需要繼承permissions.BasePermission
  2. 需要重寫 has_object_permission()

2. add custom permission to our snippet instance.

from snippets.permissions import IsOwnerOrReadOnly
permission_classes = (permissions.IsAuthenticatedOrReadOnly,
                      IsOwnerOrReadOnly,)

8. Authenticating with the API

• 登錄前

http POST http://127.0.0.1:8000/snippets/ code="print(123)"

{
    "detail": "Authentication credentials were not provided."
}

• 登錄后

http -a admin:password123 POST http://127.0.0.1:8000/snippets/ code="print(789)"

{
    "id": 1,
    "owner": "admin",
    "title": "foo",
    "code": "print(789)",
    "linenos": false,
    "language": "python",
    "style": "friendly"
}