Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Authentication and Permissions with Django REST framework
Search
xordoquy
October 16, 2016
Programming
0
150
Authentication and Permissions with Django REST framework
An overview of the authentication and permissions management with Django REST framework.
xordoquy
October 16, 2016
Tweet
Share
More Decks by xordoquy
See All by xordoquy
pycon.fr 2018 - Django REST framework workshop
xordoquy
0
170
mauvaises bonnes idées pour REST
xordoquy
1
320
Buildbot 0.9
xordoquy
0
94
Performances Django REST framework - DjangoCong 2016
xordoquy
0
120
Présentation de l'architecture REST - meetup Django Paris
xordoquy
0
99
Django REST framework workshop @Djangocon Europe 2015
xordoquy
0
100
Django REST framework - DjangoConG 2015
xordoquy
3
140
Django REST framework workshop - DjangoCong 2015
xordoquy
1
98
Packaging pratique (fr) - pycon.fr 2014
xordoquy
1
160
Other Decks in Programming
See All in Programming
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
280
Hanami and htmx
bkuhlmann
0
190
Build with AI 2024 Seoul - 제로부터 시작하는 Flutter with Gemini 생활 - 박제창
itsmedreamwalker
0
200
オブジェクト指向のリ・オリエンテーション~歴史を振り返り、AI時代に向きなおる~
hanyudaeiiti
10
5.6k
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
今、知っておきたい! 生成AIエージェントの世界
elith
3
340
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
350
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
430
受託開発でGitLab CI を活用していく
xiombatsg
1
270
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
300
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
490
プールにゆこう
irof
2
120
Featured
See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
29
46k
RailsConf 2023
tenderlove
2
530
Practical Orchestrator
shlominoach
181
9.7k
Design by the Numbers
sachag
274
18k
A Philosophy of Restraint
colly
196
16k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Building Your Own Lightsaber
phodgson
98
5.7k
KATA
mclloyd
14
12k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Transcript
Django REST framework Authentification Permissions Xavier Ordoquy
Mainteneur Django REST framework Freelance irc: linovia twitter: linovia_net
Django
DJANGO @login_required() def someview(request): ... ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
... !
Auth =/= Perm
Django REST framework
CLASSE VUE class ExampleView(APIView): authentication_classes = [SessionAuthentication] permission_classes = [IsAuthenticated]
FONCTION @api_view(['GET']) @authentication_classes([SessionAuthentication]) @permission_classes([IsAuthenticated]) def example_view(request, format=None): return Response({})
SETTINGS REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated', ) }
vue >> settings
Pourquoi ne pas réutiliser Django ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
...
Problème: authentifications différentes
Problème: trop lié à l’utilisateur
Problème: Middleware pour tout le site
SITE vs API { "count": 2, "next": null, "previous": null,
"results": [ { "email": "
[email protected]
", "groups": [], "url": "http://127.0.0.1:8000/users/1/", "username": "admin" }, { "email": "
[email protected]
", "groups": [ ], "url": "http://127.0.0.1:8000/users/2/", "username": "tom" } ] }
Inclus: Basic
Inclus: Session
Inclus: Token
3RD PARTIES • Django OAuth2 Consumer • JSON Web Token
Authentication • Hawk HTTP Authentication • HTTP Signature Authentication • django-rest-framework-social-oauth2 • Digest Authentication • Djoser • django-rest-auth • django-rest-knox
401 / 403
403 Forbidden The request was successfully authenticated, but permission was
denied.
401 Unauthorized The request was not successfully authenticated, and the
highest priority authentication class does use "WWW-Authenticate" headers
403 Forbidden The request was not successfully authenticated, and the
highest priority authentication class does not use "WWW-Authenticate" headers. > SessionAuthentication <
pas de header pas de 401 401 Unauthorized
CSRF
CSRF @csrf_exempt
CSRF Géré par SessionAuth…
PERMISSIONS
• AllowAny • IsAuthenticated • IsAdminUser • IsAuthenticatedOrReadOnly • DjangoModelPermissions
• DjangoModelPermissionsOrAnonReadOnly • DjangoObjectPermissions INCLUS
DjangoModel Permissions Permissions par Model de django.contrib.auth
PERSONALISATION GET OPTIONS HEAD POST…………………….. PUT………………….. PATCH………………. DELETE……………….. <app label>.add_<model
name> <app label>.change_<model name> <app label>.change_<model name> <app label>.delete_<model name> perms_map
DjangoObject Permissions Permissions par objet de django.contrib.auth (django-guardian ou autre)
PERMISSIONS PAR OBJET SUR LISTE ?
class CustomObjectPermissions(DjangoObjectPermissions): perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD':
['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'], } class EventViewSet(viewsets.ModelViewSet): queryset = Event.objects.all() serializer_class = EventSerializer filter_backends = [filters.DjangoObjectPermissionsFilter] permission_classes = [CustomObjectPermissions]
WTF ?!? mes permissions sont appelées 6 x ?
COUPABLE
Pas de permissions sur mon get_object !!
SURCHAGE view.get_object def get_object(self): queryset = self.filter_queryset(self.get_queryset()) filter_kwargs = ###
obj = get_object_or_404(queryset, **filter_kwargs) self.check_object_permissions(self.request, obj) return obj
CACHE GLOBAL (MIDDLEWARE) Pas de gestion de permissions
Permissions complexes ?
Et si j’avais besoin de lire la requête ?
from rest_framework.exceptions import PermissionDenied raise PermissionDenied( 'Some permission failed’ )
Ecrire son auth
from django.contrib.auth.models import User from rest_framework import authentication from rest_framework
import exceptions class ExampleAuthentication(authentication.BaseAuthentication): def authenticate(self, request): username = request.META.get('X_USERNAME') if not username: return None try: user = User.objects.get(username=username) except User.DoesNotExist: raise exceptions.AuthenticationFailed('No such user') return (user, None)
Ecrire ses perms
from rest_framework import permissions class BlacklistPermission(permissions.BasePermission): def has_permission(self, request, view):
ip_addr = request.META['REMOTE_ADDR'] blacklisted = Blacklist.objects.filter( ip_addr=ip_addr).exists() return not blacklisted
class IsOwnerOrReadOnly(permissions.BasePermission): def has_object_permission(self, request, view, obj): if request.method in
permissions.SAFE_METHODS: return True return obj.owner == request.user
One more thing
Pérennité http://www.django-rest- framework.org/topics/funding/
As a direct result of a successful Mozilla grant application,
I will be leaving my current role at DabApps, and attempting to secure a sustainable business model for REST framework development. I need your help in order to make this work. -Tom Christie
MERCI @linovia_net