不需要对 OPTIONS 请求进行身份验证
Do not require authentication for OPTIONS requests
我的settings.py
REST_FRAMEWORK = {
'UNICODE_JSON': True,
'NON_FIELD_ERRORS_KEY': '__all__',
'DEFAULT_AUTHENTICATION_CLASSES': (
# TODO(dmu) HIGH: Support OAuth or alike authentication
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
),
'ALLOWED_VERSIONS': ['v1'],
'DEFAULT_VERSIONING_CLASS': 'rest_framework.versioning.NamespaceVersioning',
'TEST_REQUEST_DEFAULT_FORMAT': 'json',
'TEST_REQUEST_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
执行此操作时出现身份验证错误:
curl -X OPTIONS http://127.0.0.1:8000/api/passenger/v1/order/ | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 58 0 58 0 0 469 0 --:--:-- --:--:-- --:--:-- 475
{
"detail": "Authentication credentials were not provided."
}
我希望我的服务器以 [=27=] 描述响应并且不需要身份验证。同时,我希望它像往常一样要求对 GET、POST、PUT、PATCH 和 DELETE 请求进行身份验证。
我怎样才能做到这一点?
我的解决方案
谢谢 Alasdair 的想法。我个人使用了这个解决方案:
from rest_framework.permissions import DjangoObjectPermissions
OPTIONS_METHOD = 'OPTIONS'
class DjangoObjectPermissionsOrOptions(DjangoObjectPermissions):
def has_permission(self, request, view):
if request.method == OPTIONS_METHOD:
return True
else:
return super(DjangoObjectPermissions, self).has_permission(request, view)
Django rest framework 自带一个权限 class IsAuthenticatedOrReadOnly,它允许经过身份验证的用户执行任何请求,而未经授权的用户可以发出 GET、HEAD 或 OPTIONS 请求。
您的用例非常相似,因此您可以尝试以下操作(未经测试):
class IsAuthenticatedOrOptions(BasePermission):
"""
The request is authenticated as a user, or an OPTIONS request.
"""
def has_permission(self, request, view):
return (
request.method == 'OPTIONS' or
request.user and
request.user.is_authenticated()
)
'DEFAULT_PERMISSION_CLASSES': (
'path.to.IsAuthenticatedOrOptions',
),
我的settings.py
REST_FRAMEWORK = {
'UNICODE_JSON': True,
'NON_FIELD_ERRORS_KEY': '__all__',
'DEFAULT_AUTHENTICATION_CLASSES': (
# TODO(dmu) HIGH: Support OAuth or alike authentication
'rest_framework.authentication.TokenAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': (
'rest_framework.permissions.IsAuthenticated',
),
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
),
'ALLOWED_VERSIONS': ['v1'],
'DEFAULT_VERSIONING_CLASS': 'rest_framework.versioning.NamespaceVersioning',
'TEST_REQUEST_DEFAULT_FORMAT': 'json',
'TEST_REQUEST_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
执行此操作时出现身份验证错误:
curl -X OPTIONS http://127.0.0.1:8000/api/passenger/v1/order/ | python -m json.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 58 0 58 0 0 469 0 --:--:-- --:--:-- --:--:-- 475
{
"detail": "Authentication credentials were not provided."
}
我希望我的服务器以 [=27=] 描述响应并且不需要身份验证。同时,我希望它像往常一样要求对 GET、POST、PUT、PATCH 和 DELETE 请求进行身份验证。
我怎样才能做到这一点?
我的解决方案
谢谢 Alasdair 的想法。我个人使用了这个解决方案:
from rest_framework.permissions import DjangoObjectPermissions
OPTIONS_METHOD = 'OPTIONS'
class DjangoObjectPermissionsOrOptions(DjangoObjectPermissions):
def has_permission(self, request, view):
if request.method == OPTIONS_METHOD:
return True
else:
return super(DjangoObjectPermissions, self).has_permission(request, view)
Django rest framework 自带一个权限 class IsAuthenticatedOrReadOnly,它允许经过身份验证的用户执行任何请求,而未经授权的用户可以发出 GET、HEAD 或 OPTIONS 请求。
您的用例非常相似,因此您可以尝试以下操作(未经测试):
class IsAuthenticatedOrOptions(BasePermission):
"""
The request is authenticated as a user, or an OPTIONS request.
"""
def has_permission(self, request, view):
return (
request.method == 'OPTIONS' or
request.user and
request.user.is_authenticated()
)
'DEFAULT_PERMISSION_CLASSES': (
'path.to.IsAuthenticatedOrOptions',
),