[英]in django drf can a authenticated user with token access other users data?
in django drf can a authenticated user with token access other users data? 在django drf中,具有令牌的经过身份验证的用户可以访问其他用户的数据吗? I know it shouldn't but in my application its not happening. 我知道这不应该,但是在我的应用程序中却没有发生。 for testing I was using the token in postman but I was surprised when I see by using one users token I can access any other user data by changing PK in url. 为了进行测试,我在邮递员中使用了令牌,但是当我看到通过使用一个用户令牌可以更改URL中的PK来访问任何其他用户数据时,我感到很惊讶。 when I researched this on internet I couldn't find any definite answer. 当我在互联网上对此进行研究时,找不到明确的答案。 may be I was using the token authentication method wrongfully... 可能是我错误地使用了令牌身份验证方法...
but my main question is: If I have one users token then by just changing pk in url, should I be able to get other users data? 但是我的主要问题是:如果我有一个用户令牌,那么只需更改url中的pk,是否应该能够获取其他用户的数据? if so how to avoid that? 如果是这样,如何避免呢?
(Note: I am currently NOT using HTTPS. ) (also this is a conceptual question so after getting answer of this I may need to ask another question regarding error in my code; that I will. but please provide answer to this) (注意:我目前未使用HTTPS。)(这也是一个概念性问题,因此在获得答案之后,我可能需要询问有关代码错误的另一个问题;我会的,但是请提供答案)
If your view for sending user data has only the permission class isAuthenticated, then yes this behavior is to be expected. 如果您的用于发送用户数据的视图仅具有权限类isAuthenticated,则可以肯定会发生这种情况。 What you need to do is to implement Another permission isOwner that checks if the user asking for the data is its owner or not. 您需要执行的是另一项权限isOwner,该权限检查请求数据的用户是否是其所有者。
No. if that happened, it means you implement authentication the wrong way. 否。如果发生这种情况,则意味着您以错误的方式实施身份验证。
Make sure you set authentication scheme to 'rest_framework.authentication.TokenAuthentication'
确保将身份验证方案设置为'rest_framework.authentication.TokenAuthentication'
and include 'rest_framework.authtoken'
in your INSTALLED_APPS 并在您的INSTALLED_APPS中包含'rest_framework.authtoken'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.