Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Authentication and Permissions with Django REST...
Search
xordoquy
October 16, 2016
Programming
0
180
Authentication and Permissions with Django REST framework
An overview of the authentication and permissions management with Django REST framework.
xordoquy
October 16, 2016
Tweet
Share
More Decks by xordoquy
See All by xordoquy
pycon.fr 2018 - Django REST framework workshop
xordoquy
0
310
mauvaises bonnes idées pour REST
xordoquy
1
370
Buildbot 0.9
xordoquy
0
100
Performances Django REST framework - DjangoCong 2016
xordoquy
0
130
Présentation de l'architecture REST - meetup Django Paris
xordoquy
0
110
Django REST framework workshop @Djangocon Europe 2015
xordoquy
0
120
Django REST framework - DjangoConG 2015
xordoquy
3
140
Django REST framework workshop - DjangoCong 2015
xordoquy
1
120
Packaging pratique (fr) - pycon.fr 2014
xordoquy
1
170
Other Decks in Programming
See All in Programming
Claude Agent SDK を使ってみよう
hyshu
0
1.2k
iOSでSVG画像を扱う
kishikawakatsumi
0
110
技術的負債の正体を知って向き合う
irof
0
190
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
450
釣り地図SNSにおける有料機能の実装
nokonoko1203
0
170
フロントエンド開発のためのブラウザ組み込みAI入門
masashi
5
2.5k
CSC509 Lecture 05
javiergs
PRO
0
300
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
takehaya
9
1.7k
詳しくない分野でのVibe Codingで困ったことと学び/vibe-coding-in-unfamiliar-area
shibayu36
3
5.1k
Introduce Hono CLI
yusukebe
6
2.8k
チームの境界をブチ抜いていけ
tokai235
0
190
XP, Testing and ninja testing ZOZ5
m_seki
3
730
Featured
See All Featured
The Invisible Side of Design
smashingmag
302
51k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Mobile First: as difficult as doing things right
swwweet
225
10k
A better future with KSS
kneath
239
18k
4 Signs Your Business is Dying
shpigford
185
22k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Context Engineering - Making Every Token Count
addyosmani
7
260
What's in a price? How to price your products and services
michaelherold
246
12k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Statistics for Hackers
jakevdp
799
220k
Transcript
Django REST framework Authentification Permissions Xavier Ordoquy
Mainteneur Django REST framework Freelance irc: linovia twitter: linovia_net
Django
DJANGO @login_required() def someview(request): ... ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
... !
Auth =/= Perm
Django REST framework
CLASSE VUE class ExampleView(APIView): authentication_classes = [SessionAuthentication] permission_classes = [IsAuthenticated]
FONCTION @api_view(['GET']) @authentication_classes([SessionAuthentication]) @permission_classes([IsAuthenticated]) def example_view(request, format=None): return Response({})
SETTINGS REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated', ) }
vue >> settings
Pourquoi ne pas réutiliser Django ?
DJANGO MIDDLEWARE = [ "django...SessionMiddleware", "django...AuthenticationMiddleware", ] @login_required() def someview(request):
...
Problème: authentifications différentes
Problème: trop lié à l’utilisateur
Problème: Middleware pour tout le site
SITE vs API { "count": 2, "next": null, "previous": null,
"results": [ { "email": "
[email protected]
", "groups": [], "url": "http://127.0.0.1:8000/users/1/", "username": "admin" }, { "email": "
[email protected]
", "groups": [ ], "url": "http://127.0.0.1:8000/users/2/", "username": "tom" } ] }
Inclus: Basic
Inclus: Session
Inclus: Token
3RD PARTIES • Django OAuth2 Consumer • JSON Web Token
Authentication • Hawk HTTP Authentication • HTTP Signature Authentication • django-rest-framework-social-oauth2 • Digest Authentication • Djoser • django-rest-auth • django-rest-knox
401 / 403
403 Forbidden The request was successfully authenticated, but permission was
denied.
401 Unauthorized The request was not successfully authenticated, and the
highest priority authentication class does use "WWW-Authenticate" headers
403 Forbidden The request was not successfully authenticated, and the
highest priority authentication class does not use "WWW-Authenticate" headers. > SessionAuthentication <
pas de header pas de 401 401 Unauthorized
CSRF
CSRF @csrf_exempt
CSRF Géré par SessionAuth…
PERMISSIONS
• AllowAny • IsAuthenticated • IsAdminUser • IsAuthenticatedOrReadOnly • DjangoModelPermissions
• DjangoModelPermissionsOrAnonReadOnly • DjangoObjectPermissions INCLUS
DjangoModel Permissions Permissions par Model de django.contrib.auth
PERSONALISATION GET OPTIONS HEAD POST…………………….. PUT………………….. PATCH………………. DELETE……………….. <app label>.add_<model
name> <app label>.change_<model name> <app label>.change_<model name> <app label>.delete_<model name> perms_map
DjangoObject Permissions Permissions par objet de django.contrib.auth (django-guardian ou autre)
PERMISSIONS PAR OBJET SUR LISTE ?
class CustomObjectPermissions(DjangoObjectPermissions): perms_map = { 'GET': ['%(app_label)s.view_%(model_name)s'], 'OPTIONS': ['%(app_label)s.view_%(model_name)s'], 'HEAD':
['%(app_label)s.view_%(model_name)s'], 'POST': ['%(app_label)s.add_%(model_name)s'], 'PUT': ['%(app_label)s.change_%(model_name)s'], 'PATCH': ['%(app_label)s.change_%(model_name)s'], 'DELETE': ['%(app_label)s.delete_%(model_name)s'], } class EventViewSet(viewsets.ModelViewSet): queryset = Event.objects.all() serializer_class = EventSerializer filter_backends = [filters.DjangoObjectPermissionsFilter] permission_classes = [CustomObjectPermissions]
WTF ?!? mes permissions sont appelées 6 x ?
COUPABLE
Pas de permissions sur mon get_object !!
SURCHAGE view.get_object def get_object(self): queryset = self.filter_queryset(self.get_queryset()) filter_kwargs = ###
obj = get_object_or_404(queryset, **filter_kwargs) self.check_object_permissions(self.request, obj) return obj
CACHE GLOBAL (MIDDLEWARE) Pas de gestion de permissions
Permissions complexes ?
Et si j’avais besoin de lire la requête ?
from rest_framework.exceptions import PermissionDenied raise PermissionDenied( 'Some permission failed’ )
Ecrire son auth
from django.contrib.auth.models import User from rest_framework import authentication from rest_framework
import exceptions class ExampleAuthentication(authentication.BaseAuthentication): def authenticate(self, request): username = request.META.get('X_USERNAME') if not username: return None try: user = User.objects.get(username=username) except User.DoesNotExist: raise exceptions.AuthenticationFailed('No such user') return (user, None)
Ecrire ses perms
from rest_framework import permissions class BlacklistPermission(permissions.BasePermission): def has_permission(self, request, view):
ip_addr = request.META['REMOTE_ADDR'] blacklisted = Blacklist.objects.filter( ip_addr=ip_addr).exists() return not blacklisted
class IsOwnerOrReadOnly(permissions.BasePermission): def has_object_permission(self, request, view, obj): if request.method in
permissions.SAFE_METHODS: return True return obj.owner == request.user
One more thing
Pérennité http://www.django-rest- framework.org/topics/funding/
As a direct result of a successful Mozilla grant application,
I will be leaving my current role at DabApps, and attempting to secure a sustainable business model for REST framework development. I need your help in order to make this work. -Tom Christie
MERCI @linovia_net