下面是我使用Token Authen的示例代码:
from rest_framework.permissions import IsAuthenticated, IsAdminUser
from django.http.response import HttpResponse
class test_api(generics.GenericAPIView):
permission_classes = (IsAdminUser, IsAuthenticated)
def get(self,request):
return HttpResponse("You call random test api")
我正在使用令牌Authen,我的请求头是这样的,这是一个非AdminUser的令牌
Authorization : Token fc823d7a1d8973056e11e9c8b974f17e351c4263
当我调用api时,它从终端打印出这些行
False
[23/Aug/2021 10:39:20] "GET /user/get-user HTTP/1.1" 200 13
我想False得到了IsAdminUser的许可。然而,代码仍然响应200,并给我You call random test api的响应。
只有当我给出错误的Token时,我才会收到403 Unauth响应。
我的用户模型:
class UserManager(BaseUserManager):
def create_user(self, email, password=None, **extra_fields):
if not email:
raise ValueError("User must have an email address")
user = self.model(email=self.normalize_email(email), **extra_fields)
user.set_password(password)
user.save(using=self._db)
return user
def create_superuser(self, email, password):
"""Creata and saves a new super user"""
user = self.create_user(email,password)
user.is_staff = False
user.is_superuser = True
user.save(using= self._db)
return user
class User(AbstractBaseUser, PermissionsMixin):
"""Custom user model that support using email instead of username"""
email = models.EmailField(max_length=255, unique=True)
name = models.CharField(max_length=255)
is_active = models.BooleanField(default=True)
is_staff = models.BooleanField(default=False)
is_employee = models.BooleanField(default=False)
objects = UserManager()
USERNAME_FIELD = 'email'
如文档所示:
因此,似乎令牌的用户将
IsAdminUser权限类将拒绝任何用户的权限,除非user.is_staff是True,在这种情况下允许权限。
is_staff设置为True。您可以通过在get()
中添加以下行来确认这一点def get(self, request):
print("request.user.is_staff", request.user.is_staff)
return HttpResponse("You call random test api")