我正在尝试在tastypie中编写自定义身份验证。基本上,我想使用post参数进行身份验证,我根本不想使用django auth,所以我的代码看起来像:
class MyAuthentication(Authentication):
def is_authenticated(self, request, **kwargs):
if request.method == 'POST':
token = request.POST['token']
key = request.POST['key']
return is_key_valid(token,key)
这或多或少都是这个想法。问题是我一直收到以下错误:
"error_message": "You cannot access body after reading from request's data stream"
我知道这与我正在访问POST的事实有关,但我无法确定是否有办法解决它。有任何想法吗?
谢谢。
编辑: 也许我忘了提到最重要的事情。我正在使用github中找到的技巧处理表单数据。我的资源来自多部分资源
class MultipartResource(object):
def deserialize(self, request, data, format=None):
if not format:
format = request.META.get('CONTENT_TYPE', 'application/json')
if format == 'application/x-www-form-urlencoded':
return request.POST
if format.startswith('multipart'):
data = request.POST.copy()
data.update(request.FILES)
return data
return super(MultipartResource, self).deserialize(request, data, format)
问题是 Content-Type 在您的请求中,标题未正确设置。 [参考]
Tastypie只承认 xml, json, yaml 和 bplist。因此,在发送POST请求时,您需要进行设置 Content-Type 在请求头中的任何一个(例如, application/json)。
编辑:
您似乎正在尝试通过文件发送多部分表单
Tastypie。
关于Tastypie的文件上传支持的一点背景,由Issac Kelly提供
路线图1.0最终(尚未发布):
- 实现一个Base64FileField,它接受用于PUT / POST的base64编码文件(如问题#42中的那个),并提供GET请求的URL。这将是主要的tastypie repo的一部分。
- 我们希望鼓励其他实现作为独立项目实现。有几种方法可以做到这一点,而且大多数都有点挑剔,它们都有不同的缺点,我们希望有其他选择,并记录每个方法的优缺点。
这意味着至少现在,Tastypie并没有正式支持多部分
上传文件。然而,野外有叉子 按说 加工
好, 这个 是其中之一
他们。我没有测试过它。
现在让我试着解释你遇到这个错误的原因。
在Tastypie resource.py,第452行:
def dispatch(self, request_type, request, **kwargs):
"""
Handles the common operations (allowed HTTP method, authentication,
throttling, method lookup) surrounding most CRUD interactions.
"""
allowed_methods = getattr(self._meta, "%s_allowed_methods" % request_type, None)
if 'HTTP_X_HTTP_METHOD_OVERRIDE' in request.META:
request.method = request.META['HTTP_X_HTTP_METHOD_OVERRIDE']
request_method = self.method_check(request, allowed=allowed_methods)
method = getattr(self, "%s_%s" % (request_method, request_type), None)
if method is None:
raise ImmediateHttpResponse(response=http.HttpNotImplemented())
self.is_authenticated(request)
self.is_authorized(request)
self.throttle_check(request)
# All clear. Process the request.
request = convert_post_to_put(request)
response = method(request, **kwargs)
# Add the throttled request.
self.log_throttled_access(request)
# If what comes back isn't a ``HttpResponse``, assume that the
# request was accepted and that some action occurred. This also
# prevents Django from freaking out.
if not isinstance(response, HttpResponse):
return http.HttpNoContent()
return response
convert_post_to_put(request) 从这里打电话。和 这是代码
convert_post_to_put:
# Based off of ``piston.utils.coerce_put_post``. Similarly BSD-licensed.
# And no, the irony is not lost on me.
def convert_post_to_VERB(request, verb):
"""
Force Django to process the VERB.
"""
if request.method == verb:
if hasattr(request, '_post'):
del(request._post)
del(request._files)
try:
request.method = "POST"
request._load_post_and_files()
request.method = verb
except AttributeError:
request.META['REQUEST_METHOD'] = 'POST'
request._load_post_and_files()
request.META['REQUEST_METHOD'] = verb
setattr(request, verb, request.POST)
return request
def convert_post_to_put(request):
return convert_post_to_VERB(request, verb='PUT')
而且这种方法并不是真正意图处理多部分
阻止任何进一步访问的副作用 request.body 因为
_load_post_and_files() 方法将设置 _read_started 国旗 True:
Django的 request.body 和 _load_post_and_files():
@property
def body(self):
if not hasattr(self, '_body'):
if self._read_started:
raise Exception("You cannot access body after reading from request's data stream")
try:
self._body = self.read()
except IOError as e:
six.reraise(UnreadablePostError, UnreadablePostError(*e.args), sys.exc_info()[2])
self._stream = BytesIO(self._body)
return self._body
def read(self, *args, **kwargs):
self._read_started = True
return self._stream.read(*args, **kwargs)
def _load_post_and_files(self):
# Populates self._post and self._files
if self.method != 'POST':
self._post, self._files = QueryDict('', encoding=self._encoding), MultiValueDict()
return
if self._read_started and not hasattr(self, '_body'):
self._mark_post_parse_error()
return
if self.META.get('CONTENT_TYPE', '').startswith('multipart'):
if hasattr(self, '_body'):
# Use already read data
data = BytesIO(self._body)
else:
data = self
try:
self._post, self._files = self.parse_file_upload(self.META, data)
except:
# An error occured while parsing POST data. Since when
# formatting the error the request handler might access
# self.POST, set self._post and self._file to prevent
# attempts to parse POST data again.
# Mark that an error occured. This allows self.__repr__ to
# be explicit about it instead of simply representing an
# empty POST
self._mark_post_parse_error()
raise
else:
self._post, self._files = QueryDict(self.body, encoding=self._encoding), MultiValueDict()
所以,你可以(虽然可能不应该)修补Tastypie的猴子
convert_post_to_VERB() 方法设置 request._body 通过电话
request.body 然后立即设置 _read_started=False 以便
_load_post_and_files() 将从中读取 _body 并且不会设置
_read_started=True:
def convert_post_to_VERB(request, verb):
"""
Force Django to process the VERB.
"""
if request.method == verb:
if hasattr(request, '_post'):
del(request._post)
del(request._files)
request.body # now request._body is set
request._read_started = False # so it won't cause side effects
try:
request.method = "POST"
request._load_post_and_files()
request.method = verb
except AttributeError:
request.META['REQUEST_METHOD'] = 'POST'
request._load_post_and_files()
request.META['REQUEST_METHOD'] = verb
setattr(request, verb, request.POST)
return request
你说你需要自定义身份验证,但请考虑使用 Authorization 头而已。通过使用 POST 你强制Django解析整个有效负载,假设数据是urlencoded或多部分形式编码。这实际上使得无法使用诸如JSON或YAML之类的非形式有效载荷。
class MyAuthentication(Authentication):
def is_authenticated(self, request, **kwargs):
auth_info = request.META.get('HTTP_AUTHORIZATION')
# ...
如果您在访问POST,GET,META或COOKIES属性后访问request.body(或请求.raw_post_data,如果您仍然在Django 1.3上),则会发生此错误。
在处理PUT或PATCH请求时,Tastypie将访问request.body(raw_post_data)属性。
考虑到这一点并且不知道更多细节,我会:
- 检查这是否仅发生在POST / PUT上。如果是这样,那么你将不得不做一些覆盖一些tastypie方法或放弃你的身份验证方法。
- 在代码中查找访问request.body(raw_post_data)的位置
- 寻找可能尝试访问body / raw_post_data的第三方模块(可能是中间件)的调用
希望这可以帮助!
我已经创建了一个适合我的实用方法。虽然我不确定这会如何影响Django的底层部分,但它的工作原理是:
import io
def copy_body(request):
data = getattr(request, '_body', request.body)
request._body = data
request._stream = io.BytesIO(data)
request._files = None
return data
我在中间件中使用它来添加一个 JSON 属性为 request: https://gist.github.com/antonagestam/9add2d69783287025907