堆栈内存溢出
  简体   繁体   English

在django drf中,具有令牌的经过身份验证的用户可以访问其他用户的数据吗?

[英]in django drf can a authenticated user with token access other users data?

 原文  2018-04-12 10:58:56       django/ django-rest-framework/ token/ http-token-authentication

问题描述

in django drf can a authenticated user with token access other users data? 在django drf中,具有令牌的经过身份验证的用户可以访问其他用户的数据吗? I know it shouldn't but in my application its not happening. 我知道这不应该,但是在我的应用程序中却没有发生。 for testing I was using the token in postman but I was surprised when I see by using one users token I can access any other user data by changing PK in url. 为了进行测试,我在邮递员中使用了令牌,但是当我看到通过使用一个用户令牌可以更改URL中的PK来访问任何其他用户数据时,我感到很惊讶。 when I researched this on internet I couldn't find any definite answer. 当我在互联网上对此进行研究时,找不到明确的答案。 may be I was using the token authentication method wrongfully... 可能是我错误地使用了令牌身份验证方法...

but my main question is: If I have one users token then by just changing pk in url, should I be able to get other users data? 但是我的主要问题是:如果我有一个用户令牌,那么只需更改url中的pk,是否应该能够获取其他用户的数据? if so how to avoid that? 如果是这样,如何避免呢?

(Note: I am currently NOT using HTTPS. ) (also this is a conceptual question so after getting answer of this I may need to ask another question regarding error in my code; that I will. but please provide answer to this) (注意:我目前未使用HTTPS。)(这也是一个概念性问题,因此在获得答案之后,我可能需要询问有关代码错误的另一个问题;我会的,但是请提供答案)

2 个解决方案

解决方案1
 1 已采纳  2018-04-12 11:24:31

If your view for sending user data has only the permission class isAuthenticated, then yes this behavior is to be expected. 如果您的用于发送用户数据的视图仅具有权限类isAuthenticated,则可以肯定会发生这种情况。 What you need to do is to implement Another permission isOwner that checks if the user asking for the data is its owner or not. 您需要执行的是另一项权限isOwner,该权限检查请求数据的用户是否是其所有者。

解决方案2
 0  2018-04-12 11:06:39

No. if that happened, it means you implement authentication the wrong way. 否。如果发生这种情况,则意味着您以错误的方式实施身份验证。

Make sure you set authentication scheme to 'rest_framework.authentication.TokenAuthentication' 确保将身份验证方案设置为'rest_framework.authentication.TokenAuthentication'

and include 'rest_framework.authtoken' in your INSTALLED_APPS 并在您的INSTALLED_APPS中包含'rest_framework.authtoken'

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 DRF 模型权限拒绝访问经过身份验证的用户 - DRF Model Permission denying access to authenticated user 如何在序列化程序中为 DRF 中的令牌认证用户获取用户 ID - How to get user id in the serializer for the token authenticated user in DRF Django DRF将配置文件模型创建限制为经过身份验证的用户 - Django DRF restrict profile model creation to authenticated user 在 Django 模板视图中显示 DRF 用户令牌 - Show a DRF user token in a django template view 允许经过身份验证和未经身份验证的用户访问带有令牌身份验证装饰器的 django rest 视图 - Allow both authenticated and unauthenticated users access a django rest view with token authentication decorator 如何在 drf 中通过访问 jwt 令牌向用户发送它 - how to send user it with access jwt token in drf 允许经过身份验证的用户预订多个用户 Django - Allow an authenticated User to Book Multiple Users Django DRF simpleJWT - 无论如何都可以从无法访问“请求”参数的访问令牌中获取用户数据? - DRF simpleJWT - Is there anyway to fetch user's data from an access-token with no access to the 'request' param? 如何使用来自网址的经过身份验证的帐户访问其他用户个人资料? - How can I can access other users profiles with an authenticated account from url? django用户已认证(未认证) - django user authenticated (not authenticated )
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM