logo标签列表

Django的AuthenticationMiddleware有什么技巧?

pythondjango
3

我正在阅读Django的源代码,并遇到了关于AuthenticationMiddleware的问题。

正如文档所述,AuthenticationMiddleware

将用户属性(一个User模型实例)添加到每个传入的HttpRequest中

但是我无法理解在AuthenticationMiddleware.process_request()中如何实现这一点。如下面的代码所示,process_request只是将LazyUser()分配给request.__class__,与User模型无关。而LazyUser.__get__()似乎非常奇怪,让我感到很困惑。

class LazyUser(object):
    def __get__(self, request, obj_type=None):
        if not hasattr(request, '_cached_user'):
            from django.contrib.auth import get_user
            request._cached_user = get_user(request)
        return request._cached_user

class AuthenticationMiddleware(object):
    def process_request(self, request):
        assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
        request.__class__.user = LazyUser()
        return None

简单来说,当 AuthenticationMiddleware 在处理 HttpRequest 时发生了什么?在幕后发生了什么事情?
2个回答
6
< p > LazyUser 对象是一个Python描述符,即一个对象,可以通过其父类的实例来指定如何访问自身。让我看看能否为您分解: 
# Having a LazyUser means we don't have to get the actual User object
# for each request before it's actually accessed.
class LazyUser(object):
    # Define the __get__ operation for the descripted object.
    # According to the docs, "descr.__get__(self, obj, type=None) --> value".
    # We don't need the type (obj_type) for anything, so don't mind that.
    def __get__(self, request, obj_type=None):
        # This particular request doesn't have a cached user?
        if not hasattr(request, '_cached_user'):
            # Then let's go get it!
            from django.contrib.auth import get_user
            # And save it to that "hidden" field.
            request._cached_user = get_user(request)
        # Okay, now we have it, so return it.
        return request._cached_user

class AuthenticationMiddleware(object):
    # This is done for every request...
    def process_request(self, request):
        # Sanity checking.
        assert hasattr(request, 'session'), "blah blah blah."
        # Put the descriptor in the class's dictionary. It can thus be
        # accessed by the class's instances with `.user`,  and that'll
        # trigger the above __get__ method, eventually returning an User, 
        # AnonymousUser, or what-have-you.
        # Come to think of it, this probably wouldn't have to be done 
        # every time, but the performance gain of checking whether we already
        # have an User attribute would be negligible, or maybe even negative.
        request.__class__.user = LazyUser()
        # We didn't mess with the request enough to have to return a
        # response, so return None.
        return None

那有帮助吗?:)

非常感谢您详细的回答!跟进问题,request.user = LazyUser()request.__class__.user = LazyUser()有什么区别?我认为前者也可以,不是吗? - qweruiop
另外,当我们通过 request.user.username 访问 LazyUser 时,为什么会将 request 作为第二个参数传递给 __get__?根据文档,应该是 user 才对:“而实例则是访问属性的实例”。 - qweruiop
@ColinZ:文档中有一个棘手的短语。在这种情况下,“instance”指的是“request”,而“LazyUser”是“attribute”(称为user,但LazyUser不知道)。 - AKX
完全没有头绪...我想最好去查阅一些详细的参考资料。谢谢! - qweruiop
0

LazyUser只是一个包装器,一个懒惰的包装器。 get方法是Python的魔法方法之一,当对象被访问时将被调用。因此,仅在实际使用时才确定用户是否存在。这是有意义的,因为此操作将触发数据库调用,只有在确实需要用户时才应该发生。

LazyUser不是分配给请求实例本身,而是分配给请求实例类,这也使其对实例可用。我无法解释为什么要这样做。

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接