对于Django而言,虽然自带了一些基本的通用权限限制,但现实中,可能我们更希望自己去定义业务权限划分
Django对于权限这块的部分验证方法
user = request.user
user.is_superuser #是否是超级管理员
user.s_anonymous() #是否匿名用户,及未登录用户
user.groups.select_related() #获取用户对应的组角色对象,
#当获取到group后,通过group.name获取组名,
下面是一段完整的权限控制例子
#!/usr/bin/env python
# encoding:utf8 from django.core.urlresolvers import resolve
from django.shortcuts import render # 定义角色权限
roles = {
'consultant': ['Customer', 'ConsultRecord'],
'teachers': ['Course', 'ClassList', 'CourseRecord', 'StudyRecord'],
'students': ['StudyRecord'],
}
# 权限映射
permission_map = {
'view_home': ['index', 'GET', []], # 展示对应对可操作对象
'view_object': ['admin_controller', 'GET', ['show']], # 查看具体对象对数据信息
'edit_object': ['admin_controller', 'POST', ['show', 'id']], # 具有编辑该对象对权限
'add_object_view': ['admin_controller', 'GET', ['add']], # 进入添加页面,但不表示可以进行修改,该权限用于对表格显示字段过长,显示不全,可以进入该页面查看
'add_object': ['admin_controller', 'POST', ['add']], # 具有添加该对象对权限
'delete_object': ['admin_controller', 'POST', ['show', 'data']], # 具有删除该对象对权限
} def check_process(*args, **kwargs):
request = args[0]
user = request.user
if user.is_superuser:
return True
resolver_match_obj = resolve(request.path)
url_name = resolver_match_obj.url_name
args = list(resolver_match_obj.args)
args.extend(request.GET)
args.extend(request.POST)
print('begin checking permission ', resolver_match_obj)
if url_name:
is_match = False
match_perm = None
for permission in permission_map:
permission_action = permission_map[permission] # 获取url对应的权限动作
print('----------------url action: ', permission_action)
if len(permission_action) == 3: # 为保障下面语句执行不为语法而被破坏,加上该条件,强制性判断,否则放行
define_url_name, define_request_method, define_others = permission_action
if url_name == define_url_name:
print("match url name: ", define_url_name)
if request.method == define_request_method:
print("match method: ", define_request_method)
if define_others: # 如果定义了具体参数匹配,则继续匹配参数
print("check others: ", permission, define_others)
for arg in define_others:
if hasattr(request, str(define_request_method)):
request_method = getattr(request, str(define_request_method)) # 获取对应的请求方法对象
if hasattr(request_method, arg) or arg in args: # 如果能匹配参数,则标记匹配
is_match = True
print("others match: ", arg)
else:
print("others not match: ", arg)
is_match = False
if is_match:
print("others match done: ", permission, permission_action)
match_perm = permission
break
else:
is_match = True
match_perm = permission
print("url check done ...", permission, permission_action)
break
else:
print('please check the define rules, maybe has some problem')
return True # 如果定义的动作不完整,为避免新增权限的缺陷影响业务,这种错误应该放行处理
else:
return True # 如果没有找到对应的url name则放行处理 if is_match:
print("begin check user permission ...")
if user.is_anonymous():
print("user has not login ...")
return True # 如果用户是匿名,说明该页面可能不需要权限控制,放行处理,假如该view需要登录认证,那么再次权限处理时,不会在此处理
elif user.has_perm('%s.%s' % (__package__, match_perm)):
groups = user.groups.select_related()
model_list = []
for group in groups:
if group.name in roles:
model_list.extend(roles[group.name])
if args and len(args) > 1: # 如果URL获取到参数,则对参数进行比较
access_model = args[0]
if access_model not in model_list: # 该操作主要拦截,直接使用URL方式而非超链接,尝试指定不同model访问其它数据
return False
return True
return model_list if model_list else True # 如果model_list为空,且该用户还有权限,那么只有超级用户才有这种特权了
return False def decorator(func):
def wrapper(*args, **kwargs):
check_result = check_process(*args, **kwargs)
if not check_result:
render_respond = render(args[0], '403.html')
render_respond.status_code = 403 # 修改头部信息状态码
print("permission refused ...")
return render_respond
if type(check_result) is list: # 该参数仅在本次view中可能有用,所以在return时需要尝试捕获,如果出错,则尝试移除该key,再返回,再有其它错误,就可以排除是该权限控制产生的了
kwargs['model_list'] = check_result
print('permission check passed...')
try:
return func(*args, **kwargs)
except TypeError:
kwargs.pop('model_list')
return func(*args, **kwargs)
return wrapper