开发者

Restricting access to Ajax services using django.contrib.auth

In a web application already using django.contrib.auth for authentication, I'm looking for the "standard" approach for restricting access to Ajax services to authenticated users only.

Using the @login_required decorator won't do, because that just redirects unauthenticated users to a login page. For a service, we should probably be sending a valid, well-formed error response back -- not some login form.

This is the first approach that comes to mind:

from django.http import HttpResponse

def some_json_service_view(request):
    if not request.user.is_authenticated():
        return HttpResponse('{success: false}')
    return HttpResponse('{success: true}')

Taking it one step farther, if I could standardize on a single response for all "not authenticated" errors, then a decorator would be nice:

from django.http import HttpResponse

def login_required_json(f):
    def new_f(request):
        if not request.user.is_authentica开发者_StackOverflow社区ted():
            return HttpResponse('{success: false}')
        return f(request)
    return new_f

@login_required_json
def some_json_service_view(request):
    return HttpResponse('{success: true}')

Is this how everybody else does it, or is there a more accepted way it's done? Ideally, someone could point me to the django.contrib package made for this purpose.


That's an example that will work great if the AJAX services are consumed by your front-end clients only. I do that all the time, because the same design gets used for pushing all other kinds of data to the client through the response for which the client needs to perform additional actions or otherwise provide some feedback to the user. It works great when your site has mixed users, i.e. you support both anonymous and registered users.

If your building services for 3rd party vendors though, you'll either have to use OAuth, basic HTTP access authentication or digest HTTP access authentication. You do this when you know/assume that users who are performing the requests all have registered credentials. Hence, these authentication schemes allow a user to authenticate themselves if the authentication system challenges them for credentials, which they can immediately supply at hand, without manually having to enter them at a redirected login page.

So if your services have mixed users, I'd stick with what you have. Otherwise, you'll have to take up on something more elaborate, something that assumes that unauthenticated users have and can immediately supply their credentials.

In either case, I suggest you take a look at django-piston. It's like a pretty straightforward controller for parsing AJAX requests and serializing AJAX responses. Based on the supplied model and HTTP verb, it can automatically do a lot of the heavy lifting for you when exposing model access to user agents, plus it also comes packed with OAuth and HTTP access authentication.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜