def__init__(self, request, parsers=None, authenticators=None, negotiator=None, parser_context=None): assert isinstance(request, HttpRequest), ( 'The `request` argument must be an instance of ' '`django.http.HttpRequest`, not `{}.{}`.' .format(request.__class__.__module__, request.__class__.__name__) )
self._request = request self.parsers = parsers or () self.authenticators = authenticators or () self.negotiator = negotiator or self._default_negotiator()
@property defuser(self): ifnot hasattr(self, '_user'): with wrap_attributeerrors(): self._authenticate() return self._user
@user.setter defuser(self, value): # 当调用user时触发, 如user = 'xxx', 则value = 'xxx' self._user = value self._request.user = value
可以看到,user执行了self._authenticate方法,返回的_user为当前用户
截取self._authenticate的代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13
def_authenticate(self): for authenticator in self.authenticators: try: # 这里是调用默认的认证组件里的authenticate方法 user_auth_tuple = authenticator.authenticate(self) except exceptions.APIException: self._not_authenticated() raise
defauthenticate(self, request): # 重写了authenticate方法并获取当前的用户信息 # Get the session-based user from the underlying HttpRequest object user = getattr(request._request, 'user', None)
# Unauthenticated, CSRF validation not required ifnot user ornot user.is_active: returnNone # 执行enforce_csrf方法判断用户的csrf_token是否正确 self.enforce_csrf(request)
# CSRF passed with authenticated user return (user, None)
defenforce_csrf(self, request): check = CSRFCheck() # populates request.META['CSRF_COOKIE'], which is used in process_view() # 中间件的process_request方法,拿取用户的CSRF_COOKIE check.process_request(request) # 认证用户的CSRF_COOKIE是否正确 reason = check.process_view(request, None, (), {}) if reason: # CSRF failed, bail with explicit error message raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
