python django中的权限控制

权限控制

基于form组件实现

1. 配置文件编写权限关系表

有权限控制,意味着要登录,需要提前把登录页面放到白名单,在setting.py文件写入白名单内的路径不做访问控制和登录认证
WHITE_URL = ["/web/login/", "/web/sms_login", "web/sms_send", "/web/logout/"]
在setting.py文件写入权限关系表,实现ADMIN,BOSS,CUSTOMER三者不同的访问路径

MY_PERMISSION = {
    "ADMIN": {
        "home": {"text": "主页", "parent": None},
        "order": {"text": "订单", "parent": None},
        "level_list": {"text": "级别展示", "parent": None},
        "level_add": {"text": "级别新增", "parent": "level_list"},
        "customer_list": {"text": "用户管理", "parent": None},
    },
    "BOSS": {
        "home": {"text": "主页", "parent": None},

        "order": {"text": "订单", "parent": None},
        "order_add": {"text": "订单新增", "parent": "order"},

        "level_list": {"text": "级别展示", "parent": None},
        "level_add": {"text": "级别新增", "parent": "level_list"},
        "level_edit": {"text": "级别编辑", "parent": "level_list"},
        "level_del": {"text": "级别删除", "parent": "level_list"},

        "customer_list": {"text": "用户管理", "parent": None},
        "customer_add": {"text": "新增用户", "parent": "customer_list"},
        "customer_edit": {"text": "用户编辑", "parent": "customer_list"},
        "customer_del": {"text": "用户删除", "parent": "customer_list"},
    },
    "CUSTOMER": {
        "home": {"text": "主页", "parent": None},
        # "order": None,
    }
}

2. 通过django的session组件,对用户登录后将角色传入到session中

user_obj = models.Customer.objects.filter(username=user, password=pwd).first()
if not user_obj:
    userform.add_error("acc_password", "账号或者用户名错误")
    return render(request, "login.html", {"userform": userform})
mapping = {"root": "BOSS", "admin": "ADMIN"}
request.session[settings.SESSION_KEY] = {"name": user, "role": user_obj.get_role_level_display()}
return redirect(settings.HOME_PAGE)

get_role_level_display() 是为了展示下面role_level里的choice字段
model代码
class Customer(ActiveBaseModel):
    role_Choices=((30,"BOSS"),(20,"ADMIN"),(1,"CUSTOMER"))
    username = models.CharField(max_length=20, verbose_name="用户名称")
    password = models.CharField(max_length=20, verbose_name="密码")
    ...省略...
    level =models.ForeignKey(verbose_name="会员等级",to="Level",on_delete=models.CASCADE,default=1)
    role_level = models.SmallIntegerField(choices=role_Choices,default=1,verbose_name="角色级别")
    # limit_choices_to 可以用来对关联内容做限制展示
    # level = models.ForeignKey(verbose_name="级别", to="Level", on_delete=models.CASCADE, limit_choices_to={'active': 1})
    create_date=models.DateTimeField(verbose_name="创建日期",auto_now_add=True)

3. 通过中间件读取里面的角色和配置文件角色相关的权限

搞懂中间件的先后执行顺序

process_request 是第一步,通过这步获取session内的数据,同时做初步的登录访问控制路由
process_view 是在上一步获取权限的基础上进行鉴权操作.

# 用来通过实例对象,将权限,角色等信息规范的写入到对应的属性中去
class UserDict():
    def __init__(self,name,role):
        self.name=name
        self.role=role
        self.detail = settings.MY_MENU.get(role)
        self.permission=settings.MY_PERMISSION.get(role)
        self.path = None

# 将UserDict通过中间件赋值到request对象中,后续可以通过request.user_dict.permission获取登录角色的权限
class AuthMiddleware(MiddlewareMixin):
    def process_request(self, request):
        # 白名单url不需要登录就能访问
        if request.path_info in settings.WHITE_URL:
            return None

        # 检测是否已经登录,判断session中的userino的session信息
        user_dict = request.session.get(settings.SESSION_KEY)
        print("user_dict>>", user_dict)
        if not user_dict:
            return redirect(settings.LOGIN_HOME)

        # 也可以 request.user_dict.name = user_dict.get("name"),但是推荐下面这样写
        # 因为类属性字段都会统一,而且调用时候也方便直接获取对象的属性即可
        # 并且在html模版中也可以传入request对象,如果要获取用户名字就是request.user_dict.name
        request.user_dict=UserDict(**user_dict)

    def process_view(self,request,callback,callback_args,callback_kwargs):
        # 无须登录就能访问的白名单没有给request添加user_dict类,放行
        if not hasattr(request,"user_dict"):
            return None


        url_name = request.resolver_match.url_name
        if not request.user_dict.permission.get(url_name):
            return HttpResponse("没有权限进入")

        # 添加访问路径
        visit_path_list=[]
        visit_path_list.append(request.user_dict.permission[url_name]["text"])

        while request.user_dict.permission[url_name]["parent"]:
            print("url_name>>", url_name)
            father_menu = request.user_dict.permission[url_name]["parent"]
            father_menu_text = request.user_dict.permission[father_menu]["text"]

            visit_path_list.append(father_menu_text)
            url_name=father_menu
        visit_path_list.reverse()
        print("访问路径是",visit_path_list) #访问路径是 ['订单', '订单新增']
        request.user_dict.path=visit_path_list

4. 自定义模版

理论上 第3步已经实现了权限控制,这一步是增加体验感,对于没权限的功能,在前端页面上不做展示.
这里自定义了添加,编辑,删除的自定义simple_tag
还自定义了过滤器,这里是根据功能选择不同的自定义模版类型,
选择自定义simple_tag是因为要传入多个参数,而自定义的过滤器只能传2个,但是simple_tag只能返回字符串,因此需要mark_safe进行转换成a标签
选择自定义过滤器 是因为要实现table标签 的列是否显示,如果登录角色没有edit和delete的权限,那么操作这列没必要显示出来,因此返回的值为布尔值即可

from django import template
from django.utils.safestring import mark_safe
from django.shortcuts import reverse
register=template.Library()

@register.simple_tag()
def add_permission(request,url_reverse_name,*args,**kwargs):
    # 传入url别名反向生成url
    actual_url = reverse(url_reverse_name,*args,**kwargs)
    # 如果权限中有url别名 表示有权限
    if not request.user_dict.permission.get(url_reverse_name):
       return ""
    else:
        html_tag = '<a class="btn btn-success" href="{}">新增</a>'.format(actual_url)
        # html_tag = '<a class="btn btn-success" >新增</a>'
        return mark_safe(html_tag)



@register.simple_tag()
def edit_permission(request,url_reverse_name,*args,**kwargs):
    # 这里的edit和上面的add url是不同的,edit和delete是要传入pk值的,反向解析通过kwargs获取
    actual_url = reverse(url_reverse_name, args=args,kwargs=kwargs)
    # 如果权限中有url别名 表示有权限
    if not request.user_dict.permission.get(url_reverse_name):
       return ""
    else:
        # html_tag = '<td><a class="btn btn-primary" href="{}">编辑</a> </td>'.format(actual_url)
        html_tag = '<a class="btn btn-primary" href="{}">编辑</a> '.format(actual_url)
        return mark_safe(html_tag)




@register.simple_tag()
def del_permission(request,url_reverse_name,*args,**kwargs):
    # 这里的edit和上面的add url是不同的,edit和delete是要传入pk值的,反向解析通过kwargs获取
    actual_url = reverse(url_reverse_name, args=args,kwargs=kwargs)
    if not request.user_dict.permission.get(url_reverse_name):
       return ""
    else:
        # html_tag = '<td><a class="btn btn-danger" href="{}">删除</a> </td>'.format(actual_url)
        html_tag = '<a class="btn btn-danger" href="{}">删除</a>'.format(actual_url)
        return mark_safe(html_tag)



@register.filter()
def has_permission(request,tags):
    #filter只能传2个参数,这里我们把多个反向解析的url别名用逗号拼接传入tags
    tag_lists = tags.split(",")
    for tag_List in tag_lists:
        if tag_List in request.user_dict.permission.keys():
            return True

    return False

5. 在html模版渲染中写入判断条件,实现动态展示

{% extends "home.html" %}

{% load permission_tags %}
{% block level %}
    <div>
        {#        <a class="btn btn-success" href={% url 'level_add' %}>新增</a>#}
        {% add_permission request "level_add" %}
    </div>
    <table class="table table-striped table-condensed table-hover">
        <thead>
        <tr>
            <th>ID</th>
            <th>标题</th>
            <th>折扣</th>
            {% if request|has_permission:"level_edit,level_del" %}    如果无删除和编辑权限,不显示操作这列
                <th>操作</th>
            {% endif %}
        </tr>
        </thead>
        <tbody></tbody>
        {% for obj in queryset %}
            <tr>
                <td>{{ obj.id }}</td>
                <td>{{ obj.title }}</td>
                <td>{{ obj.discount }} <span>%</span></td
                {% if request|has_permission:"level_edit,level_del" %}     如果无删除和编辑权限,不显示操作这列
                <td>
                    {% edit_permission request "level_edit" pk=obj.id %} {# 编辑按钮 #}   如果无编辑权限,不显示编辑按钮
                    {% del_permission request "level_del" pk=obj.id %} {# 删除按钮 #}    如果无删除权限,不显示删除按钮
                </td>
                {% endif %}


            </tr>
        {% endfor %}
    </table>

{% endblock %}
posted @ 2023-08-03 09:27  零哭谷  阅读(342)  评论(0编辑  收藏  举报