Permission
Permission
DRFμ Permission System
- νμ¬ μμ²μ λν νμ©β’κ±°λΆλ₯Ό κ²°μ νλ©° APIView λ¨μλ‘ μ§μ μ΄ κ°λ₯
AllowAny(λν΄νΈ μ μ μ€μ ) : μΈμ¦ μ¬λΆμ μκ΄μμ΄ λ·° νΈμΆμ νμ©IsAuthenticated: μΈμ¦λ μμ²μ νν΄μ λ·° νΈμΆ νμ© (λ‘κ·ΈμΈμ΄ λμ΄μμ΄μΌλ§ μ κ·Ό νμ©)IsAdminUser: Staff μΈμ¦ μμ²μ νν΄μ λ·° νΈμΆ νμ©IsAuthenticatedOrReadOnly: λΉμΈμ¦ μμ²μκ²λ μ½κΈ° κΆνλ§ νμ© (λ‘κ·ΈμΈμ΄ λμ΄ μμ§μμλ μ‘°νλ κ°λ₯)DjangoModelPermissons: μΈμ¦λ μμ²μ ννμ¬ λ·° νΈμΆ νμ©, μΆκ°λ‘ μ₯κ³ λͺ¨λΈ λ¨μ Permissions 체ν¬DjangoModelPermissionsOrAnonReadOnly:DjangoModelPermissionsμ μ μ¬, λΉμΈμ¦ μμ²μκ²λ μ½κΈ°λ§ νμ©DjangoObjectPermissons: λΉμΈμ¦ μμ²μ κ±°λΆ, μΈμ¦λ μμ²μ Objectμ λν κΆν μ²΄ν¬ μν
# Permission
SAFE_METHODS = ('GET', 'HEAD', 'OPTIONS')
class AllowAny(BasePermission):
def has_permission(self, request, view):
return True
class IsAuthenticated(BasePermission):
def has_permission(self, request, view):
return request.user and request.user.is_authenticated
class IsAdminUser(BasePermission):
def has_permission(self, request, view):
return request.user and request.user.is_staff
class IsAuthorOrReadOnly(permissions.BasePermission):
# μΈμ¦λ μ μ μ νν΄, λͺ©λ‘ μ‘°ν/ν¬μ€ν
λ±λ‘ νμ©
def has_permission(self, request, view):
return request.user.is_authenticated
# μμ±μμ νν΄ λ μ½λμ λν μμ /μμ νμ©
def has_object_permission(self, request, view, obj):
# μ‘°ν μμ²(GET, HEAD, OPTIONS)μ λν΄ μΈμ¦μ¬λΆ μκ΄μμ΄ νμ©
if request.method in permissions.SAFE_METHODS:
return True
# PUT, DELETE μμ²μ λν΄ μμ±μμΌ κ²½μ° μμ² νμ©
return obj.author == request.user
class IsAuthorUpdateOrReadOnly(permissions.BasePermission):
def has_permission(self, request, view):
return request.user.is_authenticated
def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS:
return True
if request.method == 'DELETE':
return request.user.is_superuser # λλ .is_staff
return obj.author == request.user# Default μ μ μ€μ (settings.py)
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES' : [
'rest_framework.permissions.IsAuthenticated',
]
}
# APIViewμμμ μ§μ
from rest_framework.permissions import IsAuthenticated
class ExampleView(APIView):
permissions_classes = [IsAuthenticated]
def get(self, request, format=None):
content = {'status' : 'request was permitted'}
return Response(content)
# @api_viewμμμ μ§μ
from rest_framework.decorators import permission_classes
@api_view(['GET'])
@permission_classes([IsAuthenticated])
def example_view(request, format=None)
content = {'status' : 'request was permitted'}
returnn Response(content)Custom Permission
- λͺ¨λ Permission ν΄λμ€λ λ€μ 2κ°μ§ ν¨μλ₯Ό μ νμ μΌλ‘ ꡬν
has_permission(request, view)- APIView μ κ·Ό μ 체ν¬
- κ±°μ λͺ¨λ Permission ν΄λμ€μμ ꡬνλλ©° λ‘μ§μ λ°λΌ
True/Falseλ°ν
has_object_permission(request, view, obj)- APIViewμ
get_objectν¨μλ₯Ό ν΅ν΄ object νλ μμ μ²΄ν¬ - κΈ°μ‘΄μ Mixin μμ λ°μ κ²½μ°
RetrieveModelMixin,UpdateModelMixi,DestroyModelMixinμμget_object()μ¬μ© DjangoObjectPermissionsμμ ꡬννλ©° λ‘μ§μ λ°λΌTrue/Falseλ°ν
- APIViewμ
- κΈ°λ³Έμ μΌλ‘ Custom Permissionλ€μ
BasePermissionμ μμλ°μ μμ±νκ² λ¨- Permissionμ
has_object_permissionμ΄ μλhas_permissionμ ν΄λΉ μμ²μ΄ λ€μ΄μ¬ λ νμ μ€νμ΄ λ¨ has_object_permissionμ΄ λ€μ΄μ€κΈ° μ μλhas_permissionμ μ°μ κ±°μΉ ν μ€νμ΄ λκ³ APIViewμμ μμ μλμΌλ‘ μ€νμ΄ λ¨- νμ§λ§
has_object_permissionμ κ²½μ° λ³λμ νΈμΆ κ³Όμ μ΄ νμ
- Permissionμ
# Custom Permission
from django.contrib.auth import get_user_model
from rest_framework.permissions import BasePermission, SAFE_METHODS
class IsOwnerOnly(BasePermission):
# μμ±μλ§ μ κ·Ό
def has_object_permission(self, request, view, obj):
if request.user.is_authenticated:
# κ΄λ¦¬μ
if request.user.role == '10':
return True
elif hasattr(obj, 'profile'):
return obj.profile.id == request.user.id
elif obj.__class__ == get_user_model():
return obj.id == request.user.id
return False
else:
return False
π± Backend-Dev | hwaya2828@gmail.com