Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Authentication and Permissions with Django REST...
Search
xordoquy
October 16, 2016
Programming
0
180
Authentication and Permissions with Django REST framework
An overview of the authentication and permissions management with Django REST framework.
xordoquy
October 16, 2016
Tweet
Share
More Decks by xordoquy
See All by xordoquy
pycon.fr 2018 - Django REST framework workshop
xordoquy
0
310
mauvaises bonnes idées pour REST
xordoquy
1
370
Buildbot 0.9
xordoquy
0
100
Performances Django REST framework - DjangoCong 2016
xordoquy
0
130
Présentation de l'architecture REST - meetup Django Paris
xordoquy
0
110
Django REST framework workshop @Djangocon Europe 2015
xordoquy
0
120
Django REST framework - DjangoConG 2015
xordoquy
3
140
Django REST framework workshop - DjangoCong 2015
xordoquy
1
120
Packaging pratique (fr) - pycon.fr 2014
xordoquy
1
170
Other Decks in Programming
See All in Programming
そのAPI、誰のため? Androidライブラリ設計における利用者目線の実践テクニック
mkeeda
2
310
Design Foundational Data Engineering Observability
sucitw
3
200
Testing Trophyは叫ばない
toms74209200
0
880
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
1
530
「待たせ上手」なスケルトンスクリーン、 そのUXの裏側
teamlab
PRO
0
530
GitHubとGitLabと AWS CodePipelineで CI/CDを組み比べてみた
satoshi256kbyte
4
240
RDoc meets YARD
okuramasafumi
4
170
FindyにおけるTakumi活用と脆弱性管理のこれから
rvirus0817
0
520
Ruby Parser progress report 2025
yui_knk
1
450
AWS発のAIエディタKiroを使ってみた
iriikeita
1
190
複雑なフォームに立ち向かう Next.js の技術選定
macchiitaka
2
140
ユーザーも開発者も悩ませない TV アプリ開発 ~Compose の内部実装から学ぶフォーカス制御~
taked137
0
180
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
RailsConf 2023
tenderlove
30
1.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
What's in a price? How to price your products and services
michaelherold
246
12k
The World Runs on Bad Software
bkeepers
PRO
70
11k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
How to Ace a Technical Interview
jacobian
279
23k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
The Invisible Side of Design
smashingmag
301
51k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
Thoughts on Productivity
jonyablonski
70
4.8k
Transcript
Django REST framework Authentification Permissions Xavier Ordoquy
Mainteneur Django REST framework Freelance irc: linovia twitter: linovia_net
Django
DJANGO @login_required() def someview(request): ... ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
... !
Auth =/= Perm
Django REST framework
CLASSE VUE class ExampleView(APIView): authentication_classes = [SessionAuthentication] permission_classes = [IsAuthenticated]
FONCTION @api_view(['GET']) @authentication_classes([SessionAuthentication]) @permission_classes([IsAuthenticated]) def example_view(request, format=None): return Response({})
SETTINGS REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated', ) }
vue >> settings
Pourquoi ne pas réutiliser Django ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
...
Problème: authentifications différentes
Problème: trop lié à l’utilisateur
Problème: Middleware pour tout le site
SITE vs API { "count": 2, "next": null, "previous": null,
"results": [ { "email": "
[email protected]
", "groups": [], "url": "http://127.0.0.1:8000/users/1/", "username": "admin" }, { "email": "
[email protected]
", "groups": [ ], "url": "http://127.0.0.1:8000/users/2/", "username": "tom" } ] }
Inclus: Basic
Inclus: Session
Inclus: Token
3RD PARTIES • Django OAuth2 Consumer • JSON Web Token
Authentication • Hawk HTTP Authentication • HTTP Signature Authentication • django-rest-framework-social-oauth2 • Digest Authentication • Djoser • django-rest-auth • django-rest-knox
401 / 403
403 Forbidden The request was successfully authenticated, but permission was
denied.
401 Unauthorized The request was not successfully authenticated, and the
highest priority authentication class does use "WWW-Authenticate" headers
403 Forbidden The request was not successfully authenticated, and the
highest priority authentication class does not use "WWW-Authenticate" headers. > SessionAuthentication <
pas de header pas de 401 401 Unauthorized
CSRF
CSRF @csrf_exempt
CSRF Géré par SessionAuth…
PERMISSIONS
• AllowAny • IsAuthenticated • IsAdminUser • IsAuthenticatedOrReadOnly • DjangoModelPermissions
• DjangoModelPermissionsOrAnonReadOnly • DjangoObjectPermissions INCLUS
DjangoModel Permissions Permissions par Model de django.contrib.auth
PERSONALISATION GET OPTIONS HEAD POST…………………….. PUT………………….. PATCH………………. DELETE……………….. <app label>.add_<model
name> <app label>.change_<model name> <app label>.change_<model name> <app label>.delete_<model name> perms_map
DjangoObject Permissions Permissions par objet de django.contrib.auth (django-guardian ou autre)
PERMISSIONS PAR OBJET SUR LISTE ?
class CustomObjectPermissions(DjangoObjectPermissions): perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD':
['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'], } class EventViewSet(viewsets.ModelViewSet): queryset = Event.objects.all() serializer_class = EventSerializer filter_backends = [filters.DjangoObjectPermissionsFilter] permission_classes = [CustomObjectPermissions]
WTF ?!? mes permissions sont appelées 6 x ?
COUPABLE
Pas de permissions sur mon get_object !!
SURCHAGE view.get_object def get_object(self): queryset = self.filter_queryset(self.get_queryset()) filter_kwargs = ###
obj = get_object_or_404(queryset, **filter_kwargs) self.check_object_permissions(self.request, obj) return obj
CACHE GLOBAL (MIDDLEWARE) Pas de gestion de permissions
Permissions complexes ?
Et si j’avais besoin de lire la requête ?
from rest_framework.exceptions import PermissionDenied raise PermissionDenied( 'Some permission failed’ )
Ecrire son auth
from django.contrib.auth.models import User from rest_framework import authentication from rest_framework
import exceptions class ExampleAuthentication(authentication.BaseAuthentication): def authenticate(self, request): username = request.META.get('X_USERNAME') if not username: return None try: user = User.objects.get(username=username) except User.DoesNotExist: raise exceptions.AuthenticationFailed('No such user') return (user, None)
Ecrire ses perms
from rest_framework import permissions class BlacklistPermission(permissions.BasePermission): def has_permission(self, request, view):
ip_addr = request.META['REMOTE_ADDR'] blacklisted = Blacklist.objects.filter( ip_addr=ip_addr).exists() return not blacklisted
class IsOwnerOrReadOnly(permissions.BasePermission): def has_object_permission(self, request, view, obj): if request.method in
permissions.SAFE_METHODS: return True return obj.owner == request.user
One more thing
Pérennité http://www.django-rest- framework.org/topics/funding/
As a direct result of a successful Mozilla grant application,
I will be leaving my current role at DabApps, and attempting to secure a sustainable business model for REST framework development. I need your help in order to make this work. -Tom Christie
MERCI @linovia_net
xordoquy
mkeeda
sucitw
toms74209200
dafujii
teamlab
satoshi256kbyte
okuramasafumi
rvirus0817
yui_knk
iriikeita
macchiitaka
taked137
mraible
tenderlove
aki_iinuma
michaelherold
bkeepers
soudai
tanoku
jacobian
addyosmani
smashingmag
productmarketing
jonyablonski
![DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):](https://files.speakerdeck.com/presentations/108e78fc78064de187c0869b45f841b9/slide_4.jpg){kind=link}
![CLASSE VUE class ExampleView(APIView): authentication_classes = [SessionAuthentication] permission_classes = [IsAuthenticated]](https://files.speakerdeck.com/presentations/108e78fc78064de187c0869b45f841b9/slide_7.jpg){kind=link}
![FONCTION @api_view(['GET']) @authentication_classes([SessionAuthentication]) @permission_classes([IsAuthenticated]) def example_view(request, format=None): return Response({})](https://files.speakerdeck.com/presentations/108e78fc78064de187c0869b45f841b9/slide_8.jpg){kind=link}
![DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):](https://files.speakerdeck.com/presentations/108e78fc78064de187c0869b45f841b9/slide_12.jpg){kind=link}
![class CustomObjectPermissions(DjangoObjectPermissions): perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD':](https://files.speakerdeck.com/presentations/108e78fc78064de187c0869b45f841b9/slide_35.jpg){kind=link}
