权限:权限就是一个包含正则的url。
Rbac 权限管理:
Role-Based Access Control,基于角色的访问控制。用户通过角色与权限进行关联,一个用户可以有多个角色,一个角色可以有多个权限。
构造成“用户-角色-权限”的授权模型。在这种模型中,用户与角色之间,角色与权限之间,一般者是多对多的关系。
(rbac模式-role based access control):
User
id name age
alex
egon
peiqi Role
id title
销售
CEO
销售总监 UserInfo2Role
id user_id role_id permissison id title url
查看客户 /stark/crm/customer/
添加客户 /stark/crm/customer/add
查看订单 /stark/crm/order/
添加订单 /stark/crm/order/add Role2permissison id role_id permissison_id
在权限app :rbac model表中:
from django.db import models # Create your models here.
class User(models.Model):
name = models.CharField(max_length=32)
password = models.CharField(max_length=32)
roles = models.ManyToManyField('Role') def __str__(self):
return self.name class Role(models.Model): name = models.CharField(max_length=32)
permissions= models.ManyToManyField("Permission")
def __str__(self):
return self.name class Permission(models.Model): title = models.CharField(max_length=32)
url = models.CharField(max_length=128) def __str__(self):
return self.title
权限录入
在另一个app : app1 model.py 中 创建两条表记录:(可以对customer 和 Order 表进行权限管理 ,对可以进行 增删改查操作权限设置。
from django.db import models # Create your models here. class Customer(models.Model):
name = models.CharField(max_length=32,verbose_name="客户姓名") def __str__(self):
return self.name class Order(models.Model): order_id = models.CharField(max_length=32)
def __str__(self):
return self.order_id
1.进行数据的迁移, 执行:
python manage.py makemigrations
python manage.py migrate
2.引入stark组件
3. 给 权限表 设计权限 url
项目视图views 登录视图
from django.shortcuts import render,HttpResponse,redirect
from rbac.service.permissions import permission_init
# Create your views here.
from rbac.models import User
def login(request): if request.method=="GET": return render(request,"login.html")
else:
user = request.POST.get("user")
password = request.POST.get("password")
user_obj = User.objects.filter(name=user,password=password).first() if user_obj: #登录成功后:
request.session["user_id"] = user_obj.pk
# 获取登录用户的所有权限
role_queryset = user_obj.roles.all().values("permissions__url")
permission_list = []
for dic in role_queryset:
# 把所有权限加到权限列表中
permission_list.append(dic["permissions__url"])
request.session["permission_list"] = permission_list #通过调用权限文件的方法 #权限列表 注入 session request.session ["permission_list"] = permission_list
permission_init(request,user_obj)
else:
return redirect("/login/") return redirect("/index/") def index(request): return render(request,"index.html")
创建 访问权限的中间键:
from django.utils.deprecation import MiddlewareMixin from django.shortcuts import HttpResponse,render,redirect
import re
class PermissionMiddleWare(MiddlewareMixin): def process_request(self,request): #查看当前的请求路径
current_path = request.path #1 放行白名单
white_list = ["/login/","/admin*/",]
for reg in white_list:
if re.search(reg,current_path):
return None #放行
#2 判断是否登录
if not request.session.get("user_id"):
return redirect("/login/") #3 权限校正
#获取当前用户的权限列表
permission_list = request.session.get("permission_list")
#正则匹配
for reg_path in permission_list:
reg_path = "^%s$"%reg_path
if re.search(reg_path,current_path):
return None
return HttpResponse("您没有访问权限!")
权限app: rbac 相关文件安置:
在项目的settings.py 中配置该中间键:
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'rbac.service.middleware.PermissionMiddleWare',
]