Latest build

2024-12-04 23:44:07 +03:00 · 2012-09-05 21:14:24 +01:00 · 2012-09-05 21:14:24 +01:00 · a76b9b0f92
commit a76b9b0f92
parent 3d2dceb687
3 changed files with 41 additions and 14 deletions
--- a/api-guide/authentication.html
+++ b/api-guide/authentication.html
@ -127,6 +127,7 @@ margin-top: 5px;
            <div class="well affix span3">
              <ul class="nav nav-list side-nav">
 <li class="main"><a href="#authentication">Authentication</a></li>
+<li><a href="#how-authentication-is-determined">How authentication is determined</a></li>
 <li><a href="#setting-the-authentication-policy">Setting the authentication policy</a></li>
 <li><a href="#userbasicauthentication">UserBasicAuthentication</a></li>
 <li><a href="#tokenbasicauthentication">TokenBasicAuthentication</a></li>
@ -143,17 +144,25 @@ margin-top: 5px;
 <p>Authentication is the mechanism of associating an incoming request with a set of identifying credentials, such as the user the request came from, or the token that it was signed with.  The <a href="permissions">permission</a> and <a href="throttling">throttling</a> policies can then use those credentials to determine if the request should be permitted.</p>
 <p>REST framework provides a number of authentication policies out of the box, and also allows you to implement custom policies.</p>
 <p>Authentication will run the first time either the <code>request.user</code> or <code>request.auth</code> properties are accessed, and determines how those properties are initialized.</p>
+<p>The <code>request.user</code> property will typically be set to an instance of the <code>contrib.auth</code> package's <code>User</code> class.</p>
+<p>The <code>request.auth</code> property is used for any additional authentication information, for example, it may be used to represent an authentication token that the request was signed with.<br />
+</p>
+<h2 id="how-authentication-is-determined">How authentication is determined</h2>
+<p>Authentication is always set as a list of classes.  REST framework will attempt to authenticate with each class in the list, and will set <code>request.user</code> and <code>request.auth</code> using the return value of the first class that successfully authenticates.</p>
+<p>If no class authenticates, <code>request.user</code> will be set to an instance of <code>django.contrib.auth.models.AnonymousUser</code>, and <code>request.auth</code> will be set to <code>None</code>.</p>
+<p>The value of <code>request.user</code> and <code>request.auth</code> for unauthenticated requests can be modified using the <code>UNAUTHENTICATED_USER</code> and <code>UNAUTHENTICATED_TOKEN</code> settings.</p>
 <h2 id="setting-the-authentication-policy">Setting the authentication policy</h2>
-<p>The default authentication policy may be set globally, using the <code>DEFAULT_AUTHENTICATION_CLASSES</code> setting.  For example.</p>
+<p>The default authentication policy may be set globally, using the <code>DEFAULT_AUTHENTICATION</code> setting.  For example.</p>
 <pre><code>API_SETTINGS = {
-    'DEFAULT_AUTHENTICATION_CLASSES': (
+    'DEFAULT_AUTHENTICATION': (
+        'djangorestframework.authentication.UserBasicAuthentication',
        'djangorestframework.authentication.SessionAuthentication',
    )
 }
 </code></pre>
 <p>You can also set the authentication policy on a per-view basis, using the <code>APIView</code> class based views.</p>
 <pre><code>class ExampleView(APIView):
-    authentication_classes = (SessionAuthentication,)
+    authentication_classes = (SessionAuthentication, UserBasicAuthentication)

    def get(self, request, format=None):
        content = {
@ -163,7 +172,10 @@ margin-top: 5px;
        return Response(content)
 </code></pre>
 <p>Or, if you're using the <code>@api_view</code> decorator with function based views.</p>
-<pre><code>@api_view(allowed=('GET',), authentication_classes=(SessionAuthentication,))
+<pre><code>@api_view(
+    allowed=('GET',),
+    authentication_classes=(SessionAuthentication, UserBasicAuthentication)
+)
 def example_view(request, format=None):
    content = {
        'user': unicode(request.user),  # `django.contrib.auth.User` instance. 
--- a/api-guide/reverse.html
+++ b/api-guide/reverse.html
@ -146,7 +146,7 @@ margin-top: 5px;
 <li>It's more explicit.</li>
 <li>It leaves less work for your API clients.</li>
 <li>There's no ambiguity about the meaning of the string when it's found in representations such as JSON that do not have a native URI type.</li>
-<li>It allows use to easily do things like markup HTML representations with hyperlinks.</li>
+<li>It makes it easy to do things like markup HTML representations with hyperlinks.</li>
 </ul>
 <p>REST framework provides two utility functions to make it more simple to return absolute URIs from your Web API.</p>
 <p>There's no requirement for you to use them, but if you do then the self-describing API will be able to automatically hyperlink it's output for you, which makes browsing the API much easier.</p>
--- a/api-guide/settings.html
+++ b/api-guide/settings.html
@ -135,7 +135,8 @@ margin-top: 5px;
 <li><a href="#default_model_serializer">DEFAULT_MODEL_SERIALIZER</a></li>
 <li><a href="#default_pagination_serializer">DEFAULT_PAGINATION_SERIALIZER</a></li>
 <li><a href="#format_suffix_kwarg">FORMAT_SUFFIX_KWARG</a></li>
-<li><a href="#unauthenticated_user_class">UNAUTHENTICATED_USER_CLASS</a></li>
+<li><a href="#unauthenticated_user">UNAUTHENTICATED_USER</a></li>
+<li><a href="#unauthenticated_token">UNAUTHENTICATED_TOKEN</a></li>
 <li><a href="#form_method_override">FORM_METHOD_OVERRIDE</a></li>
 <li><a href="#form_content_override">FORM_CONTENT_OVERRIDE</a></li>
 <li><a href="#form_contenttype_override">FORM_CONTENTTYPE_OVERRIDE</a></li>
@ -147,8 +148,8 @@ margin-top: 5px;

        <div class="span9">
 <h1 id="settings">Settings</h1>
-<p>Settings for REST framework are all namespaced in the <code>API_SETTINGS</code> setting.
-For example your project's <code>settings.py</code> file might look like this:</p>
+<p>Configuration for REST framework is all namespaced inside the <code>API_SETTINGS</code> setting.</p>
+<p>For example your project's <code>settings.py</code> file might look like this:</p>
 <pre><code>API_SETTINGS = {
    'DEFAULT_RENDERERS': (
        'djangorestframework.renderers.YAMLRenderer',
@ -189,25 +190,39 @@ For example your project's <code>settings.py</code> file might look like this:</
 )
 </code></pre>
 <h2 id="default_permissions">DEFAULT_PERMISSIONS</h2>
+<p>A list or tuple of permission classes, that determines the default set of permissions checked at the start of a view.</p>
 <p>Default: <code>()</code></p>
 <h2 id="default_throttles">DEFAULT_THROTTLES</h2>
+<p>A list or tuple of throttle classes, that determines the default set of throttles checked at the start of a view.</p>
 <p>Default: <code>()</code></p>
 <h2 id="default_model_serializer">DEFAULT_MODEL_SERIALIZER</h2>
 <p>Default: <code>djangorestframework.serializers.ModelSerializer</code></p>
 <h2 id="default_pagination_serializer">DEFAULT_PAGINATION_SERIALIZER</h2>
 <p>Default: <code>djangorestframework.pagination.PaginationSerializer</code></p>
 <h2 id="format_suffix_kwarg">FORMAT_SUFFIX_KWARG</h2>
-<p>Default: <code>format</code></p>
-<h2 id="unauthenticated_user_class">UNAUTHENTICATED_USER_CLASS</h2>
+<p>Default: <code>'format'</code></p>
+<h2 id="unauthenticated_user">UNAUTHENTICATED_USER</h2>
+<p>The class that should be used to initialize <code>request.user</code> for unauthenticated requests.</p>
 <p>Default: <code>django.contrib.auth.models.AnonymousUser</code></p>
+<h2 id="unauthenticated_token">UNAUTHENTICATED_TOKEN</h2>
+<p>The class that should be used to initialize <code>request.auth</code> for unauthenticated requests.</p>
+<p>Default: <code>None</code></p>
 <h2 id="form_method_override">FORM_METHOD_OVERRIDE</h2>
-<p>Default: <code>_method</code></p>
+<p>The name of a form field that may be used to override the HTTP method of the form.</p>
+<p>If the value of this setting is <code>None</code> then form method overloading will be disabled.</p>
+<p>Default: <code>'_method'</code></p>
 <h2 id="form_content_override">FORM_CONTENT_OVERRIDE</h2>
-<p>Default: <code>_content</code></p>
+<p>The name of a form field that may be used to override the content of the form payload.  Must be used together with <code>FORM_CONTENTTYPE_OVERRIDE</code>.</p>
+<p>If either setting is <code>None</code> then form content overloading will be disabled.</p>
+<p>Default: <code>'_content'</code></p>
 <h2 id="form_contenttype_override">FORM_CONTENTTYPE_OVERRIDE</h2>
-<p>Default: <code>_content_type</code></p>
+<p>The name of a form field that may be used to override the content type of the form payload.  Must be used together with <code>FORM_CONTENT_OVERRIDE</code>.</p>
+<p>If either setting is <code>None</code> then form content overloading will be disabled.</p>
+<p>Default: <code>'_content_type'</code></p>
 <h2 id="url_accept_override">URL_ACCEPT_OVERRIDE</h2>
-<p>Default: <code>_accept</code></p>
+<p>The name of a URL parameter that may be used to override the HTTP <code>Accept</code> header.</p>
+<p>If the value of this setting is <code>None</code> then URL accept overloading will be disabled.</p>
+<p>Default: <code>'_accept'</code></p>
        </div><!--/span-->
      </div><!--/row-->
    </div><!--/.fluid-container-->