Skip to content

D
django-rest-framework
Commit afd49023 by Sébastien Piquemal
Options

authentication refactor : request.user + tests pass

parent 9da1ae81
Showing with 78 additions and 53 deletions
djangorestframework/authentication.py
......@@ -88,13 +88,14 @@ class UserLoggedInAuthentication(BaseAuthentication):
Otherwise returns :const:`None`.
"""
request.DATA # Make sure our generic parsing runs first
user = getattr(request.request, 'user', None)
if getattr(request, 'user', None) and request.user.is_active:
if user and user.is_active:
# Enforce CSRF validation for session based authentication.
resp = CsrfViewMiddleware().process_view(request, None, (), {})
if resp is None: # csrf passed
return request.user
return user
return None
......
djangorestframework/mixins.py
......@@ -3,7 +3,6 @@ The :mod:`mixins` module provides a set of reusable `mixin`
classes that can be added to a `View`.
"""
from django.contrib.auth.models import AnonymousUser
from django.core.paginator import Paginator
from django.db.models.fields.related import ForeignKey
from urlobject import URLObject
......@@ -19,7 +18,7 @@ __all__ = (
# Base behavior mixins
'RequestMixin',
'ResponseMixin',
'AuthMixin',
'PermissionsMixin',
'ResourceMixin',
# Reverse URL lookup behavior
'InstanceMixin',
......@@ -45,6 +44,13 @@ class RequestMixin(object):
Should be a tuple/list of classes as described in the :mod:`parsers` module.
"""
authentication_classes = ()
"""
The set of authentication types that this view can handle.
Should be a tuple/list of classes as described in the :mod:`authentication` module.
"""
request_class = Request
"""
The class to use as a wrapper for the original request object.
......@@ -56,6 +62,12 @@ class RequestMixin(object):
"""
return [p(self) for p in self.parser_classes]
def get_authentications(self):
"""
Instantiates and returns the list of authentications the request will use.
"""
return [a(self) for a in self.authentication_classes]
def create_request(self, request):
"""
Creates and returns an instance of :class:`request.Request`.
......@@ -63,7 +75,9 @@ class RequestMixin(object):
parsers set on the view.
"""
parsers = self.get_parsers()
return self.request_class(request, parsers=parsers)
authentications = self.get_authentications()
return self.request_class(request, parsers=parsers,
authentications=authentications)
@property
def _parsed_media_types(self):
......@@ -134,57 +148,32 @@ class ResponseMixin(object):
return [renderer.format for renderer in self.get_renderers()]
########## Auth Mixin ##########
########## Permissions Mixin ##########
class AuthMixin(object):
class PermissionsMixin(object):
"""
Simple :class:`mixin` class to add authentication and permission checking to a :class:`View` class.
Simple :class:`mixin` class to add permission checking to a :class:`View` class.
"""
authentication = ()
"""
The set of authentication types that this view can handle.
Should be a tuple/list of classes as described in the :mod:`authentication` module.
"""
permissions = ()
permissions_classes = ()
"""
The set of permissions that will be enforced on this view.
Should be a tuple/list of classes as described in the :mod:`permissions` module.
"""
@property
def user(self):
"""
Returns the :obj:`user` for the current request, as determined by the set of
:class:`authentication` classes applied to the :class:`View`.
"""
if not hasattr(self, '_user'):
self._user = self._authenticate()
return self._user
def _authenticate(self):
def get_permissions(self):
"""
Attempt to authenticate the request using each authentication class in turn.
Returns a ``User`` object, which may be ``AnonymousUser``.
Instantiates and returns the list of permissions that this view requires.
"""
for authentication_cls in self.authentication:
authentication = authentication_cls(self)
user = authentication.authenticate(self.request)
if user:
return user
return AnonymousUser()
return [p(self) for p in self.permissions_classes]
# TODO: wrap this behavior around dispatch()
def _check_permissions(self):
def check_permissions(self, user):
"""
Check user permissions and either raise an ``ImmediateResponse`` or return.
"""
user = self.user
for permission_cls in self.permissions:
permission = permission_cls(self)
for permission in self.get_permissions():
permission.check_permission(user)
......
djangorestframework/request.py
......@@ -8,14 +8,15 @@ The wrapped request then offers a richer API, in particular :
- full support of PUT method, including support for file uploads
- form overloading of HTTP method, content type and content
"""
from StringIO import StringIO
from django.contrib.auth.models import AnonymousUser
from djangorestframework.response import ImmediateResponse
from djangorestframework import status
from djangorestframework.utils.mediatypes import is_form_media_type
from djangorestframework.utils import as_tuple
from StringIO import StringIO
__all__ = ('Request',)
......@@ -27,6 +28,7 @@ class Request(object):
Kwargs:
- request(HttpRequest). The original request instance.
- parsers(list/tuple). The parsers to use for parsing the request content.
- authentications(list/tuple). The authentications used to try authenticating the request's user.
"""
_USE_FORM_OVERLOADING = True
......@@ -34,10 +36,12 @@ class Request(object):
_CONTENTTYPE_PARAM = '_content_type'
_CONTENT_PARAM = '_content'
def __init__(self, request=None, parsers=None):
def __init__(self, request, parsers=None, authentications=None):
self.request = request
if parsers is not None:
self.parsers = parsers
if authentications is not None:
self.authentications = authentications
@property
def method(self):
......@@ -87,6 +91,16 @@ class Request(object):
self._load_data_and_files()
return self._files
@property
def user(self):
"""
Returns the :obj:`user` for the current request, authenticated
with the set of :class:`authentication` instances applied to the :class:`Request`.
"""
if not hasattr(self, '_user'):
self._user = self._authenticate()
return self._user
def _load_data_and_files(self):
"""
Parses the request content into self.DATA and self.FILES.
......@@ -192,6 +206,27 @@ class Request(object):
parsers = property(_get_parsers, _set_parsers)
def _authenticate(self):
"""
Attempt to authenticate the request using each authentication instance in turn.
Returns a ``User`` object, which may be ``AnonymousUser``.
"""
for authentication in self.authentications:
user = authentication.authenticate(self)
if user:
return user
return AnonymousUser()
def _get_authentications(self):
if hasattr(self, '_authentications'):
return self._authentications
return ()
def _set_authentications(self, value):
self._authentications = value
authentications = property(_get_authentications, _set_authentications)
def __getattr__(self, name):
"""
When an attribute is not present on the calling instance, try to get it
......
djangorestframework/tests/authentication.py
......@@ -12,7 +12,7 @@ import base64
class MockView(View):
permissions = (permissions.IsAuthenticated,)
permissions_classes = (permissions.IsAuthenticated,)
def post(self, request):
return HttpResponse({'a': 1, 'b': 2, 'c': 3})
......
djangorestframework/tests/throttling.py
......@@ -13,17 +13,17 @@ from djangorestframework.resources import FormResource
from djangorestframework.response import Response
class MockView(View):
permissions = ( PerUserThrottling, )
permissions_classes = ( PerUserThrottling, )
throttle = '3/sec'
def get(self, request):
return Response('foo')
class MockView_PerViewThrottling(MockView):
permissions = ( PerViewThrottling, )
permissions_classes = ( PerViewThrottling, )
class MockView_PerResourceThrottling(MockView):
permissions = ( PerResourceThrottling, )
permissions_classes = ( PerResourceThrottling, )
resource = FormResource
class MockView_MinuteThrottling(MockView):
......@@ -54,7 +54,7 @@ class ThrottlingTests(TestCase):
"""
Explicitly set the timer, overriding time.time()
"""
view.permissions[0].timer = lambda self: value
view.permissions_classes[0].timer = lambda self: value
def test_request_throttling_expires(self):
"""
......
djangorestframework/views.py
......@@ -69,7 +69,7 @@ _resource_classes = (
)
class View(ResourceMixin, RequestMixin, ResponseMixin, AuthMixin, DjangoView):
class View(ResourceMixin, RequestMixin, ResponseMixin, PermissionsMixin, DjangoView):
"""
Handles incoming requests and maps them to REST operations.
Performs request deserialization, response serialization, authentication and input validation.
......@@ -91,13 +91,13 @@ class View(ResourceMixin, RequestMixin, ResponseMixin, AuthMixin, DjangoView):
List of parser classes the resource can parse the request with.
"""
authentication = (authentication.UserLoggedInAuthentication,
authentication_classes = (authentication.UserLoggedInAuthentication,
authentication.BasicAuthentication)
"""
List of all authenticating methods to attempt.
"""
permissions = (permissions.FullAnonAccess,)
permissions_classes = (permissions.FullAnonAccess,)
"""
List of all permissions that must be checked.
"""
......@@ -206,15 +206,15 @@ class View(ResourceMixin, RequestMixin, ResponseMixin, AuthMixin, DjangoView):
# all other authentication is CSRF exempt.
@csrf_exempt
def dispatch(self, request, *args, **kwargs):
self.request = self.create_request(request)
self.request = request = self.create_request(request)
self.args = args
self.kwargs = kwargs
try:
self.initial(request, *args, **kwargs)
# Authenticate and check request has the relevant permissions
self._check_permissions()
# check that user has the relevant permissions
self.check_permissions(request.user)
# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment