django 之(三) --- 认证|权限

用户模块

登陆注册1：Django2.0 

[ 1：N ]

• user/url.py

from django.urls import path
from user.views0 import UserTypeView, SingleUserView

app_name = 'user'
urlpatterns = [
    # 注意：：：此处必须变量名定义名为pk，否则系统识别不到
    path('singleuser/<int:pk>', SingleUserView.as_view(), name='user-detail'),
    path('usertype/', UserTypeView.as_view(), name='usertype'),
]

• user/models.py

from django.db import models

 3 # 1
class UserType(models.Model):
    name = models.CharField(max_length=20, unique=True)
    add_time = models.DateTimeField(auto_now=True)

    class Meta:
        db_table = 'user_type'
    def __str__(self):
        return self.name

14 # n
class User(models.Model):
    username = models.CharField(max_length=20, unique=True)
    password = models.CharField(max_length=128)
    phone = models.CharField(max_length=11)
    add_time = models.DateTimeField(auto_now=True)
    # related_name='users'的作用是usertype.user_set.all ===> usertype.users.all
    usertype = models.ForeignKey(to=UserType, on_delete=models.CASCADE, related_name='users', null=True)

    class Meta:
        db_table = 'user'
    def __str__(self):
        return self.username

• user/serializers.py 

from django.contrib.auth.hashers import make_password
from rest_framework import serializers
from user.models import User, UserType

class UserSerializerSimple(serializers.ModelSerializer):
    repassword = serializers.CharField(max_length=128, write_only=True)

    class Meta:
        model = User # 序列化的模型以及字段
        fields = ['id', 'username', 'password', 'phone', 'repassword']
　　 # 重写validate类方法。实现密码和确认密码验证
    def validate(self, attrs):
        if attrs['password'] != attrs['repassword']:
            raise serializers.ValidationError('两次密码不相等')
        return attrs
　　 # 重写create类方法。实现密码加密功能
    def create(self, validated_data):
        username = validated_data['username']
        password = validated_data['password']
        phone = validated_data['phone']
        password = make_password(password) # 密码加密
        user = User.objects.create(username=username, password=password, phone=phone)
        return user

# 也可以继承自：serializers.HyperlinkedModelSerializer实现超链接
class UserTypeSerializer(serializers.ModelSerializer):
 3     """
 4     # 1。
 5     # StringRelatedField表示定义序列化的关系模型[两张表的关系定义]。many=True 表示有多个值时需要声明为True。
 6     # users命名要和模型中外键字段定义的related_name='users'中定义的名字一致，且需要添加到下方Meta的fields中
 7     # 最后返回到前端的是对应的从表对象的名称
    users = serializers.StringRelatedField(many=True)
 9     # 2。
10     # 也可以使用PrimaryKeyRelatedField。
11     # 最后返回到前端的是对应的从表对象的主键
    users = serializers.PrimaryKeyRelatedField(many=True, read_only=True)
13     """
14     # 3。
15     # 也可以使用 HyperlinkedRelatedField超链接格式，view_name='user:user-detail'需要定义用户的超链接(url)
16     # 最后返回到前端的是对应的从表对象的链接格式(url)
    users = serializers.HyperlinkedRelatedField(read_only=True, many=True, view_name='user:user-detail')

    class Meta:
        model = UserType
        fields = '__all__'

class SingleUserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['id', 'username', 'password', 'phone', 'usertype']
　　

# 也可以继承自：serializers.HyperlinkedModelSerializer实现超链接
class SingleUserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['id', 'username', 'password', 'phone', 'usertype']

• user/views.py

from django.http import JsonResponse
from rest_framework.views import APIView
from user.models import User, UserType
from user.serializers import UserTypeSerializer, SingleUserSerializer, 
    UserSerializerSimple

class UserViewsSimple(APIView):
    def get(self, request):
        pass
    def post(self, request):
        user_serializer = UserSerializerSimple(data=request.data)
        if user_serializer.is_valid():
            user_serializer.save()
            return JsonResponse({'status': 200, 'user': user_serializer.data})

class UserTypeView(APIView):
    def get(self, request):
        usertypes = UserType.objects.all()
        """
           将从数据库中查询到的数据在UserTypeSerializer中进行序列化。
           序列化的是多个值时，需要添加many=True自动将usertypes转为列表类型
        """
        serializer = UserTypeSerializer(usertypes, many=True, context={'request': request})
        data = {
            'status': 200,
            'types': serializer.data
        }
        return JsonResponse(data)    

class SingleUserView(APIView): # 获取单个
    def get(self, request, pk):
        user = User.objects.get(pk=pk)
        serializer = SingleUserSerializer(user, context={'request': request})
        data = {
            'status': 200,
            'types': serializer.data
        }
        return JsonResponse(data)

用户模块

• 用户注册

  • 数据开始：模型，数据库创建用户

    • 用户身份：管理员、普通、删除用户

  • 注册实现

    • 添加了超级管理员生成

• 用户登陆

  • 验证用户名密码；生成用户令牌

  • 出现登陆和注册的post冲突。添加action

    • path/?action=login

    • path/?action=register

  • 异常捕获尽量精确

• 用户认证

  • BaseAuthentication

    • authenticate：认证成功会返回一个元组

      • 第一个元素是(user)用户对象

      • 第二个元素是(token或auth)令牌

• 用户权限

  • BasePermission

    • has_permission：是否具有权限

      • true拥有权限

      • false没有权限

• 用户认证和权限

  • 直接配置在视图函数上就ok了

 认证权限2：Django1.11

• settings.py

 1 # 特定超级用户列表
SUPER_USERS = ('GYP', 'LS','ROOT')

 4 # 缓存书库库
CACHES = {
    'default': {
        'BACKEND': 'django_redis.cache.RedisCache',
        'LOCATION': 'redis://127.0.0.1:6379/1',
        'OPTIONS': {
            'CLIENT_CLASS': 'django_redis.client.DefaultClient',
        },
        'TIMEOUT': 60 * 60 *2
    }
}

• urls.py

 1 # 主url分发
from django.conf.urls import url, include
from django.contrib import admin

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'uauth/',include('UserAuthAndPermission.urls'))
]
# ————————————————————————————------------------------------------------------------#
12 # 子url配置
from django.conf.urls import url
from UserAuthAndPermission import views

# HyperlinkedModelSerializer超链接的序列化需要为超链接配置好一个返回的url的路径url
urlpatterns = [
    # 用户注册登陆路由
    url(r'^users/$', views.UsersAPIView.as_view()),
    # name='usermodel-detail'。系统默认的报错配置名字
    url(r'^users/(?P<pk>d+)/$', views.UserAPIView.as_view(), name='usermodel-detail'),
]

• UserAuthAndPermission/models.py

from django.db import models

# 用户模型
class UserModel(models.Model):
    u_name = models.CharField(max_length=32,unique=True)
    u_password = models.CharField(max_length=256)
    is_delete = models.BooleanField(default=False)
    is_super = models.BooleanField(default=False)

---

• UserAuthAndPermission/serializers.py

from rest_framework import serializers
from UserAuthAndPermission.models import UserModel

# serializers万能键导入不可用，需要手动导入；HyperlinkedModelSerializer带超链接url的序列化
class UserSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = UserModel
        fields = ('url', 'id', 'u_name', 'u_password', 'is_super')

• UserAuthAndPermission/constants.py

# 自定义常量类
HTTP_ACTION_LOGIN = 'login'
HTTP_ACTION_REGISTER = 'register'

• UserAuthAndPermission/auth.py

from django.core.cache import cache
from rest_framework.authentication import BaseAuthentication
from UserAuthAndPermission.models import UserModel


 6 # 认证
# 继承自系统类BaseAuthentication。认证用户是否登陆
class UserAuth(BaseAuthentication):
    # 实现父类中的抽象方法authenticate，增登陆认证功能。认证成功可返回元组：用户和令牌
    def authenticate(self, request):
        if request.method == "GET":
            token = request.query_params.get('token')
            try:
                u_id = cache.get(token)
                user = UserModel.objects.get(pk=u_id)
                return user, token
            except:
                return None

• UserAuthAndPermission/permissions.py

from rest_framework.permissions import BasePermission
from UserAuthAndPermission.models import UserModel

 4 #  权限。只有登陆认证过，并且是超级管理员用户才可以查询所有
#  继承自BasePermission。进行权限限制判断是否是超级管理员用户
class IsSuperUser(BasePermission):
    # 重写has_permission系统方法。
    def has_permission(self, request, view):
        if request.method == "GET":  # 又有get请求才会去判断权限
            # 判断是否是模型的实例(判断某个对象是否是某个类的实例)
            if isinstance(request.user, UserModel):
                return request.user.is_super
            return False
        return True

• UserAuthAndPermission/views.py

import uuid
from django.core.cache import cache
from rest_framework import status, exceptions
from rest_framework.generics import ListCreateAPIView
from rest_framework.response import Response
from DjangoREST.settings import SUPER_USERS
from UserAuthAndPermission.auth import UserAuth
from UserAuthAndPermission.constants import HTTP_ACTION_REGISTER, HTTP_ACTION_LOGIN
from UserAuthAndPermission.models import UserModel
from UserAuthAndPermission.permissions import IsSuperUser
from UserAuthAndPermission.serializers import UserSerializer


# 实现所有查询get和创建post功能的类视图继承方式
class UsersAPIView(ListCreateAPIView):
    # 模型序列化，系统默认变量名serializer_class
    serializer_class = UserSerializer
    # 从模型中查询获取数据。queryset也是系统默认变量名
    queryset = UserModel.objects.all()
    # 认证类。验证用户登陆认证。只有登陆的用户才可以查询
    authentication_classes = (UserAuth,)
    # 权限类。验证用户类型权限。只有超级管理员才可以查询
    permission_classes = (IsSuperUser,)

    # # get请求。只有是登陆认证认证过的 才可以查询
    # def get(self, request, *args, **kwargs):
    #     # 判断是否是模型的实例(判断某个对象是否是某个类的实例)
    #     if isinstance(request.user, UserModel):
    #         return self.list(request, *args, **kwargs)
    #     else:
    #         raise exceptions.NotAuthenticated


    # 重写ListCreateAPIView已有的post请求。实现登陆、注册。出现登陆注册公用post问题
    # 解决：添加action动作(path/?action=login 或者 path/?action=register
    def post(self, request, *args, **kwargs):
        # 获取查询参数，相当于django中的额GET方法。
        action = request.query_params.get('action')
        # 判断是什么动作
        if action == HTTP_ACTION_REGISTER:  # 注册
            return self.create(request, *args, **kwargs)
        elif action == HTTP_ACTION_LOGIN:  # 登陆
            u_name = request.data.get('u_name')
            u_password = request.data.get('u_password')

            try:
                user = UserModel.objects.get(u_name=u_name)
                if user.u_password == u_password:
                    # 登陆成功，给用户一个token令牌存到缓存中
                    token = uuid.uuid4().hex
                    cache.set(token, user.id)
                    data = {
                        'msg': 'login success',
                        'status': 200,
                        'token': token
                    }
                    return Response(data)
                else:
                    # 系统系统的状态信息常量类exceptions
                    raise exceptions.AuthenticationFailed
            except UserModel.DoesNotExist:  # 异常捕获要精确
                raise exceptions.NotFound
        else:
            raise exceptions.ValidationError

    # 重写系统create()方法。指定超级用户的列表在settings.py文件中指定
    # 超级用户问题实现：只要是在即有特定列表中的用户注册时就自动设为超级用户。
    def create(self, request, *args, **kwargs):
        # 源码
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        self.perform_create(serializer)

        data = serializer.data
        u_name = data.get('u_name')
        # 判断是否是已有列表中的超级用户
        if u_name in SUPER_USERS:
            u_id = data.get('id')
            user = UserModel.objects.get(pk=u_id)
            user.is_super = True
            user.save()
            # 更新返回信息
            data.update({'is_super': True})
        headers = self.get_success_headers(serializer.data)
        return Response(data, status=status.HTTP_201_CREATED, headers=headers)


# 实现单个查询get和创建post功能的类视图继承方式
class UserAPIView(ListCreateAPIView):
    # 模型序列化，系统默认变量名serializer_class
    serializer_class = UserSerializer
    # 从模型中查询获取数据。queryset也是系统默认变量名
    queryset = UserModel.objects.all()

 中级大招