Django权限组建
我们的初步想法:TA是一个APP,可以随时调用!
方法: RBAC(Role-Based Access Control)
我们的方法是RBAC基于角色的权限访问控制
1、建一个新的APP(注意在setting.py里面注册一下app)
2、每一个人,或者每一个员工都有一个角色,然后让给角色赋予权限,这样就可以简单不少
3、这里想到每一次访问URL都需要查询权限,所以我们想到了“中间件”!(注意:记得注册!)
下面编写代码!
中间件rbac的代码!
# 在这里创建一个中间件,在进入视图以前判断登录人员是否有权限!
import re
from django.utils.deprecation import MiddlewareMixin
from django.shortcuts import HttpResponse,redirect
class ValidPermission(MiddlewareMixin):
def process_request(self,request):
# 得到当前访问路径
current_path = request.path_info
# 制造一张白名单,检查是否在白名单里面
valid_url_list = ["/login/", "/reg/", "/admin/.*"]
for valid_url in valid_url_list:
ret = re.match(valid_url, current_path) # 利用正则表达式提起URL
if ret:
return None
# 检查是否登录
user_id = request.session.get("user_id")
if not user_id:
return redirect("/login/")
# 校验权限
permission_list = request.session.get("permissions_list", []) # 提出URL,没有就返回空
key = False # 制造一把钥匙,判断权限
for permission in permission_list:
permission = "^%s$" % permission # 拼接字符串
print("++++++++++++", permission)
print("------------", current_path)
ret = re.match(permission, current_path)
if ret:
key = True
break
# print(key)
if not key:
return HttpResponse("没有访问权限")
return None
primisstion.py里面存放了用户的权限,登录的时候把权限加入到cookie里面
# 在这里注册用户的权限!
def initial_permission(user,request):
permission = user.roles.all().values("permissions__url").distinct()
permissions_list = []
for item in permission:
# print("================",item) item 是一个字典对象
permissions_list.append(item["permissions__url"])
# print(permissions_list) 输出为一个列表:['/permission/', '/permission/delet/']
# 现在把列表注册到session里面去!
request.session["permissions_list"] = permissions_list
下面就是主视图xiews.py的函数了
from django.shortcuts import render,HttpResponse
from rbac1 import models
from rbac1.service.permission import *
# Create your views here.
def login(request):
if request.method == "POST":
name = request.POST.get("user")
pwd = request.POST.get("pwd")
# print(name, pwd)
user = models.User.objects.filter(name=name, pwd=pwd).first()
if user:
# 将用户ID注册在session里面和cookie一起,方便以后提取!
request.session["user_id"] = user.pk
# 在session里面注册用户权限,权限表在另外的表里面,我们先导入
initial_permission(user, request)
return HttpResponse("登录成功!")
return render(request, "login.html")
def user(request):
user_list = models.User.objects.all()
return render(request, "users.html", {"user_list":user_list})
def add_user(request):
return HttpResponse("add user.....")
def roles(request):
role_list = models.Role.objects.all()
return render(request, "roles.html", {"role_list":role_list})
from django.conf.urls import url
from django.contrib import admin
from app01 import views
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^login/',views.login),
url(r'^user/', views.user),
url(r'^user/add/', views.add_user),
url(r'^roles/', views.roles),
]
人生苦短,我学Python!