我的书签
添加书签
移除书签Permissions
More details on how to add custom permissions to your API Endpoints can be found at the official Django REST Framework documentation
The TokenHasScope permission class allows access only when the current access token has been authorized for all the scopes listed in the required_scopes field of the view.
For example:
The required_scopes attribute is mandatory.
The TokenHasReadWriteScope permission class allows access based on the READ_SCOPE and WRITE_SCOPE configured in the settings.
The required_scopes attribute is optional and can be used by other scopes needed in the view.
For example:
authentication_classes = [OAuth2Authentication]permission_classes = [TokenHasReadWriteScope]required_scopes = ['music']
When a request is performed both the READ_SCOPE \ WRITE_SCOPE and ‘music’ scopes are required to be authorized for the current access token.
The TokenHasResourceScope permission class allows access only when the current access token has been authorized for all the scopes listed in the required_scopes field of the view but according of request’s method.
When the current request’s method is one of the “safe” methods, the access is allowed only if the access token has been authorized for the scope:read scope (for example music:read). When the request’s method is one of “non safe” methods, the access is allowed only if the access token has been authorized for the scope:write scope (for example music:write).
The IsAuthenticatedOrTokenHasScope permission class allows access only when the current access token has been authorized for all the scopes listed in the required_scopes field of the view but according to the request’s method. It also allows access to Authenticated users who are authenticated in django, but were not authenticated through the OAuth2Authentication class. This allows for protection of the API using scopes, but still let’s users browse the full browseable API. To restrict users to only browse the parts of the browseable API they should be allowed to see, you can combine this with the DjangoModelPermission or the DjangoObjectPermission.
For example:
class SongView(views.APIView):permission_classes = [IsAuthenticatedOrTokenHasScope, DjangoModelPermission]required_scopes = ['music']
The required_scopes attribute is mandatory.
The TokenMatchesOASRequirements permission class allows the access based on a per-method basis and with alternative lists of required scopes. This permission provides full functionality required by REST API specifications like the .
The required_alternate_scopes attribute is a required map keyed by HTTP method name where each value is a list of alternative lists of required scopes.
The following is a minimal OAS declaration that shows the same required alternate scopes. It is complete enough to try it in the swagger editor.
openapi: "3.0.0"info:title: songsversion: v1components:securitySchemes:song_auth:flows:implicit:authorizationUrl: http://localhost:8000/o/authorizeread: read about a songcreate: create a new songupdate: update an existing songdelete: delete a songpost: create a new songwidget: widget scopescope2: scope tooscope3: another scopepaths:/songs:get:security:- song_auth: [read]responses:'200':post:- song_auth: [create]- song_auth: [post, widget]responses:'201':description: new song addedput:security:- song_auth: [update]- song_auth: [put, widget]responses:'204':description: song updateddelete:security:- song_auth: [delete]- song_auth: [scope2, scope3]responses:description: song deleted
