目前为止,我们的代码没有限制谁可以编辑和删除代码片段,此节我们需要实现以下功能
- 代码片段需要与创建者关联
- 只有通过验证的用户才能创建代码片段
- 只有创建者才能修改或删除代码片段
- 没有通过验证的用户拥有只读权限
给model添加字段
我们需要添加两个字段,一个用于存储代码片段的创建者信息,一个用于存储代码的高亮信息
style = models.CharField(choices=STYLE_CHOICES, default='friendly', max_length=100)
owner = models.ForeignKey('auth.User', related_name='snippets', on_delete=models.CASCADE)
highlighted = models.TextField()
同时,我们需要在该模型类执行保存操作时,自动填充highlighted字段,使用pygments库。
首先,导入一些包
from pygments.lexers import get_lexer_by_name
from pygments.formatters.html import HtmlFormatter
from pygments import highlight
然后为Snippet重写父类的save方法
def save(self, *args, **kwargs):
"""
use the 'pygments' library to create a highlighted HTML
representation of code snippet
"""
lexer = get_lexer_by_name(self.language)
linenos = self.linenos and 'table' or False
options = self.title and {'title': self.title} or {}
formatter = HtmlFormatter(style=self.style, linenos=linenos,
full=True, **options)
self.highlighted = highlight(self.code, lexer, formatter)
super(Snippet, self).save(*args, **kwargs)
接下来需要迁移数据库,方便起见,删库,然后重新迁移
(django_rest_framework) [root@localhost tutorial]# rm -f tmp.db db.sqlite3 && \
> rm -rf snippets/migrations/ && \
> python manage.py makemigrations snippets && \
> python manage.py migrate
Migrations for 'snippets':
snippets/migrations/0001_initial.py
- Create model Snippet
Operations to perform:
Apply all migrations: admin, auth, contenttypes, sessions, snippets
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying sessions.0001_initial... OK
Applying snippets.0001_initial... OK
为了测试API,我们需要创建一些用户,最快的方式就是通过createsuperuser命令
(django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser
Username (leave blank to use 'root'): song
Email address: shelmingsong@gmail.com
Password:
Password (again):
Superuser created successfully.
(django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser
Username (leave blank to use 'root'): user_1
Email address: user_1@gmail.com
Password:
Password (again):
Superuser created successfully.
(django_rest_framework) [root@localhost tutorial]# python manage.py createsuperuser
Username (leave blank to use 'root'): user_2
Email address: user_2@gmail.com
Password:
Password (again):
Superuser created successfully.
为用户模型添加接口
我们已经创建了三个用户,现在我们需要添加用户相关的接口,修改serializers.py
from django.contrib.auth.models import User
class UserSerializer(serializers.ModelSerializer):
snippets = serializers.PrimaryKeyRelatedField(many=True, queryset=Snippet.objects.all())
class Meta:
model = User
fields = ('id', 'username', 'snippets')
因为snippets和user是一种反向的关联,默认不会包含入ModelSerializer类中,所以需要我们手动添加
我们也需要对views.py进行修改,由于用户页面为只读,所以继承于ListAPIView和RetrieveAPIView类
from django.contrib.auth.models import User
from snippets.serializers import UserSerializer
class UserList(generics.ListAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer
class UserDetail(generics.RetrieveAPIView):
queryset = User.objects.all()
serializer_class = UserSerializer
配置url.py
url(r'^users/$', views.UserList.as_view()),
url(r'^users/(?P<pk>[0-9]+)/$', views.UserDetail.as_view()),
关联User和Snippet
此时我们创建一个代码片段,是无法与用户关联的,因为用户信息是通过request获取的。
因此我们需要重写snippet的view中perform_create()方法,这个方法允许我们在对象保存前进行相关操作,处理任何有request或requested URL传递进来的数据
修改views.py中的SnippetList类,添加perform_create()方法
def perform_create(self, serializer):
serializer.save(owner=self.request.user)
如此,新建代码片段时,会添加owner字段,该字段存储了request中的用户信息
更新serializer
之前我们在views中的SnippetList类中添加了perform_create方法,保存了owner信息,因而也需要在serializer中的SnippetSerializer类中添加owner信息,同时将owner添加进Meta子类的fields字段中
class SnippetSerializer(serializers.ModelSerializer):
owner = serializers.ReadOnlyField(source='owner.username')
class Meta:
model = Snippet
fields = ('id', 'title', 'code', 'linenos', 'language', 'style', 'owner')
这里我们使用了ReadOnlyField类型,这个类型是只读的,不能被更新,和Charfield(read_only=True)是一样的效果
添加权限认证
我们希望只有登录的用户能够去增加代码片段,未登录则只有查看的权限,此时我们需要用到IsAuthenticatedOrReadOnly
修改views.py,为snippet的两个类views添加permission_classes字段
from rest_framework import permissions
class SnippetList(generics.ListCreateAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly, )
class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly, )
添加登陆接口
修改项目的urls.py
urlpatterns = [
url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework'))
]
r'^api-auth/'可以自定,namespace在Django 1.9 + 的版本中可以省略
运行Django服务器,访问your.domain/snippets/,点击右上角的登陆按钮,登陆我们之前创建的用户后,就可以创建代码片段了
创建完几个代码片段后,再访问your.domain/users/时,就可以看到每个用户创建了哪几个代码片段了
对象级别的权限
现在用户都可以对所有的snippets进行增删改查,我们要确保只有创建者可以对snippets进行改动或删除。
在snippetsapp中,创建permissions.py
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
custom permission to only allow owners of an object to edit it
"""
def has_object_permission(self, request, view, obj):
# allow all user to read
if request.method in permissions.SAFE_METHODS:
return True
# only allow owner to edit
return obj.owner == request.user
在views.py中添加权限
from snippets.permissions import IsOwnerOrReadOnly
class SnippetDetail(generics.RetrieveUpdateDestroyAPIView):
permission_classes = (permissions.IsAuthenticatedOrReadOnly,
IsOwnerOrReadOnly)
此时我们访问your.domain/snippets/1/,若用户未登录或登录用户不是该snippets的创建者,则只有读的权限,页面上表现为没有DELETE(上方中间)和PUT(右下角)按钮
通过接口进行权限认证
之前我们是通过浏览器页面进行登录的,而当我们直接使用接口去请求时,如果没有进行登录,而对某个snippet进行修改或是创建一个新的snippet,则会报错
(django_rest_framework) [root@localhost django_rest_framework]# http POST http://127.0.0.1:80/snippets/ code="hahah"
HTTP/1.0 403 Forbidden
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 58
Content-Type: application/json
Date: Tue, 28 Nov 2017 14:56:18 GMT
Server: WSGIServer/0.2 CPython/3.6.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"detail": "Authentication credentials were not provided."
}
(django_rest_framework) [root@localhost django_rest_framework]# http POST http://127.0.0.1:80/snippets/1/ code="hahah"
HTTP/1.0 403 Forbidden
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Length: 58
Content-Type: application/json
Date: Tue, 28 Nov 2017 14:56:26 GMT
Server: WSGIServer/0.2 CPython/3.6.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"detail": "Authentication credentials were not provided."
}
我们在发送请求时,提供用户名和密码,就可以进行操作了
(django_rest_framework) [root@localhost django_rest_framework]# http -a your_username:your_password POST http://127.0.0.1:80/snippets/ code="hahah"
HTTP/1.0 201 Created
Allow: GET, POST, HEAD, OPTIONS
Content-Length: 104
Content-Type: application/json
Date: Tue, 28 Nov 2017 14:58:10 GMT
Server: WSGIServer/0.2 CPython/3.6.3
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN
{
"code": "hahah",
"id": 4,
"language": "python",
"linenos": false,
"owner": "song",
"style": "friendly",
"title": ""
}
关于
本人是初学Django REST framework,Django REST framework 学习纪要系列文章是我从官网文档学习后的初步消化成果,如有错误,欢迎指正。
学习用代码Github仓库:shelmingsong/django_rest_framework
本文参考的官网文档:Tutorial 4: Authentication & Permissions
博客更新地址
- 宋明耀的博客 [ 第一时间更新 ]
- 知乎专栏 Python Cookbook
- 简书 流月0的文章
网友评论