0

对 MongoEngineResource 的嵌入字段的请求如果包含引用字段,则不经过身份验证过程。

我的情况如下:

  • 有一个文档部分,由 FieldDefinitions 组成
  • FieldDefinitions 是 EmbeddedDocuments
  • FieldDefinition contains embedded_section(可选),引用Section,并且有一个信号排除自引用(例如embedded_section只能引用section,不包含FieldDefinition)
  • 这一切都是版主界面的一部分,所以我对各种请求(获取、发布、补丁等)使用授权

这是代码:

from tastypie_mongoengine.resources import MongoEngineResource
from tastypie.authentication import ApiKeyAuthentication
from apps.api.auth import CustomAuthorization

class FieldDefinitionResource(MongoEngineResource):
    embedded_section = ReferenceField(attribute='embedded_section',
                                      to='myproject.apps.api.resources.SectionResource',
                                      full=True, null=True)

    class Meta:
        object_class = models.FieldDefinition # mongoengine EmbeddedDocument
        authentication = ApiKeyAuthentication()
        authorization = CustomAuthorization()

class SectionResource(MongoEngineResource):
    fields = EmbeddedListField(attribute='fields',
                               of='myproject.apps.api.resources.FieldDefinitionResource',
                               full=True, null=True)
    class Meta:
        object_class = models.Section # mongoengine Document
        authentication = ApiKeyAuthentication()
        authorization = CustomAuthorization()

因此,当我询问部分详细信息(例如 /api/v1/section/524df40502c8f109b07ed6ae/)时,一切都很顺利,并且fieldsattr 在存在和不存在embedded_section.

但是尝试引用特定字段(例如 /api/v1/section/524df40502c8f109b07ed6ae/fields/0/)会引发错误:

error_message: "'AnonymousUser' object has no attribute 'has_permission'"

has_permission 是 MongoUser 的一个方法,继承自 Django auth.User。在描述的第一种情况(部分详细信息)中,它确实通过了身份验证并使用适当的用户对象填充 request.user,而在第二种情况(部分字段)中,它完全跳过了身份验证阶段,直接进入授权。

难道我做错了什么?

这是一个完整的追溯:

{"error_message": "'AnonymousUser' object has no attribute 'has_permission'", "traceback": "Traceback (most recent call last):

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie/resources.py", line 195, in wrapper
    response = callback(request, *args, **kwargs)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie_mongoengine/resources.py", line 277, in dispatch_subresource
    return resource.dispatch(request=request, **kwargs)

  File "/vagrant/myproject/myproject/apps/api/resources.py", line 248, in dispatch
    super(FieldDefinitionResource, self).dispatch(request_type, request, **kwargs)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie_mongoengine/resources.py", line 776, in dispatch
    self.instance = self._safe_get(bundle, **kwargs)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie_mongoengine/resources.py", line 768, in _safe_get
    return self.parent.cached_obj_get(bundle=bundle, **filters)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie/resources.py", line 1113, in cached_obj_get
    cached_bundle = self.obj_get(bundle=bundle, **kwargs)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie_mongoengine/resources.py", line 528, in obj_get
    return super(MongoEngineResource, self).obj_get(bundle=bundle, **kwargs)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie/resources.py", line 2069, in obj_get
    self.authorized_read_detail(object_list, bundle)

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/tastypie/resources.py", line 589, in authorized_read_detail
    auth_result = self._meta.authorization.read_detail(object_list, bundle)

  File "/vagrant/myproject/myproject/apps/api/auth.py", line 201, in read_detail
    bundle.request.user.has_permission('read_detail',

  File "/var/www/vhosts/myproject/local/lib/python2.7/site-packages/django/utils/functional.py", line 205, in inner
    return func(self._wrapped, *args)

AttributeError: 'AnonymousUser' object has no attribute 'has_permission'
"}
4

1 回答 1

0

这是 django-tastypie-mongoengine 中的一个已知问题:请参阅 https://github.com/wlanslovenija/django-tastypie-mongoengine/issues/71

https://github.com/wlanslovenija/django-tastypie-mongoengine/issues/72

https://github.com/wlanslovenija/django-tastypie-mongoengine/issues/70

这3个问题是关于同一个问题:

身份验证仅在操作本身之前执行,而不是在目标操作之前对资源的操作之前执行。

示例(使用我的问题中的代码):update_detailFieldDefinitionResource 实例的目标操作,它是 SectionResource 的子项。在更新 FieldDefinitionResource 的细节之前,有一个read_detailSectionResource - 这是一个动作,django-tastypie-mongoengine 跳过了 Authentication 阶段。它会导致 request.user 的缺失,进而阻止工作流向目标操作(子资源的 update_detail)移动。

这适用于 EmbeddedDocumentField、EmbeddedListField、ReferencedListField 和 ReferenceField。

一种可能的解决方法是覆盖嵌入/引用文档的授权:

class CustomAuthorization(Authorization):
    def read_detail(self, object_list, bundle):

        # Double-check anonymous users, because operations
        # on embedded fields do not pass through authentication.
        if bundle.request.user.is_anonymous():
            MyAuthentication().is_authenticated(bundle.request)

        # Now authorize.
        try:
            return bundle.request.user.has_permission(object_list, 'read_detail')
        except AttributeError:
            raise Unauthorized(_('You have to authenticate first!'))

但是,当然,在未来的版本中解决它会很好。

于 2014-01-15T12:50:08.010 回答