1

s11 day106-107 RBAC模块

 

 

一、登录 把权限存在session中

1. rbac models

 

from django.db import models


class Permission(models.Model):
    """
    权限表
    """
    title = models.CharField(verbose_name='标题', max_length=32)
    url = models.CharField(verbose_name='含正则的URL', max_length=128)

    def __str__(self):
        return self.title


class Role(models.Model):
    """
    角色
    """
    title = models.CharField(verbose_name='角色名称', max_length=32)
    permissions = models.ManyToManyField(verbose_name='拥有的所有权限', to='Permission', blank=True)

    def __str__(self):
        return self.title


class UserInfo(models.Model):
    """
    用户表
    """
    name = models.CharField(verbose_name='用户名', max_length=32)
    password = models.CharField(verbose_name='密码', max_length=64)
    email = models.CharField(verbose_name='邮箱', max_length=32)
    roles = models.ManyToManyField(verbose_name='拥有的所有角色', to='Role', blank=True)

    def __str__(self):
        return self.name

  

 2. web models

 

from django.db import models


class Customer(models.Model):
    """
    客户表
    """
    name = models.CharField(verbose_name='姓名', max_length=32)
    age = models.CharField(verbose_name='年龄', max_length=32)
    email = models.EmailField(verbose_name='邮箱', max_length=32)
    company = models.CharField(verbose_name='公司', max_length=32)

    def __str__(self):
        return self.name

    class Meta:
        verbose_name_plural = "客户表"

class Payment(models.Model):
    """
    付费记录
    """
    customer = models.ForeignKey(verbose_name='关联客户', to='Customer')
    money = models.IntegerField(verbose_name='付费金额')
    create_time = models.DateTimeField(verbose_name='付费时间', auto_now_add=True)

    class Meta:
        verbose_name_plural = "支付表"

 

#########权限相关###########
PERMISSION_SESSION_KEY ="permission_list"

VALID_URL=[
    "^/login/$",
    "^/admin/.*",

]

  

 

from django.conf.urls import url
from web.views import customer
from web.views import payment
from web.views import login

urlpatterns = [

    url(r'^customer/list/$', customer.customer_list),
    url(r'^customer/add/$', customer.customer_add),
    url(r'^customer/edit/(?P<cid>\d+)/$', customer.customer_edit),
    url(r'^customer/del/(?P<cid>\d+)/$', customer.customer_del),
    url(r'^customer/import/$', customer.customer_import),
    url(r'^customer/tpl/$', customer.customer_tpl),

    url(r'^payment/list/$', payment.payment_list),
    url(r'^payment/add/$', payment.payment_add),
    url(r'^payment/edit/(?P<pid>\d+)/$', payment.payment_edit),
    url(r'^payment/del/(?P<pid>\d+)/$', payment.payment_del),

    url(r"^login/",login.login)
]

 

 

 

 

 

 

 

 

 

 

 

from  django.shortcuts import render,redirect
from rbac import models
# from luffy_permission.settings import PERMISSION_SESSION_KEY
from django.conf import settings

def login(request):
    if request.method == "GET":

        return render(request, 'login.html')

    #1. 获取提交的用户名和密码
    user = request.POST.get("user")
    user = request.POST.get('user')

    pwd = request.POST.get("pwd")
    pwd = request.POST.get('pwd')

    #2.检验用户是否合法
    obj = models.UserInfo.objects.filter(name=user, password=pwd).first()
    print(obj)

    if not obj:
        return render(request, 'login.html', {'msg': '用户名或密码错误'})

    #3获取用户信息和权限信息写入session
    permission_list =obj.roles.filter(permissions__url__isnull = False).values('permissions__url').distinct()
    print(permission_list)
    for item  in permission_list:
        print(item)
    request.session['user_info'] = {'id':obj.id,'name':obj.name}

    request.session[settings.PERMISSION_SESSION_KEY] = list(permission_list)
    return redirect('/customer/list/')

 

 

 二、中间件

 

https://www.cnblogs.com/yuanchenqi/articles/9036467.html?tdsourcetag=s_pcqq_aiomsg   (session知识点)

 

from django.utils.deprecation import MiddlewareMixin
from django.shortcuts import redirect,HttpResponse
from luffy_permission import settings
import re
class RbacMiddleware(MiddlewareMixin):
    #权限控制的中间件
    def process_request(self,request):
        #权限控制
        #1. 获取当前请求url
        current_url =request.path_info

        #1.5 白名单处理
        for reg in settings.VALID_URL:
            import re
            if re.match(reg,current_url):
                return None

        #2. 获取当前用户session所有权限
        permission_list =request.session.get(settings.PERMISSION_SESSION_KEY)
        if not permission_list:
            return redirect("/login")

        #3.进行权限校验

        print(current_url)
        print(permission_list)
        flag =False
        for item in permission_list:
            reg ="^%s$" %         item.get("permissions__url")
            import re
            if re.match(reg,current_url):
                flag=  True
                break
        if not flag:
            return HttpResponse("无权访问")

  

 三 、为客户添加菜单 (二级菜单,一级菜单)

 

修改 models

class Permission(models.Model):
    """
    权限表
    """
    title = models.CharField(verbose_name='标题', max_length=32)
    url = models.CharField(verbose_name='含正则的URL', max_length=128)

    is_menu =models.BooleanField(verbose_name="是否可以作为菜单",default=False)
    icon =models.CharField(max_length=32,null=True,blank=True)
   红色即为增加字段

略  

 

 

四、生成组件.

1.设置一个初始化组件 ,将登陆后的权限信息和菜单信息放入session

from django.conf import settings


def init_permission(request,user):
    """
    权限和菜单信息初始化,以后使用时,需要在登陆成功后调用该方法将权限和菜单信息放入session
    :param request:
    :param user:
    :return:
    """

    # 3. 获取用户信息和权限信息写入session
    permission_queryset = user.roles.filter(permissions__url__isnull=False).values('permissions__url',
                                                                                  'permissions__is_menu',
                                                                                  'permissions__title',
                                                                                  'permissions__icon',
                                                                                  ).distinct()


    menu_list = []
    permission_list = []

    for row in permission_queryset:
        permission_list.append({'permissions__url': row['permissions__url']})

        if row['permissions__is_menu']:
            menu_list.append(
                {'title': row['permissions__title'], 'icon': row['permissions__icon'], 'url': row['permissions__url']})

    request.session[settings.PERMISSION_SESSION_KEY] = permission_list
    request.session[settings.MENU_SESSION_KEY] = menu_list

 

2.登陆界面 ,留意红色字体,在调用权限组件

 

from django.shortcuts import render, redirect,HttpResponse
from rbac import models
from rbac.service.init_permission import init_permission
from django.conf import settings


def login(request):
    """
    用户登陆
    :param request:
    :return:
    """
    if request.method == 'GET':
        return render(request,'login.html')

    # 1. 获取提交的用户名和密码
    user = request.POST.get('user')
    pwd = request.POST.get('pwd')

    # 2. 检验用户是否合法
    obj = models.UserInfo.objects.filter(name=user,password=pwd).first()
    if not obj:
        return render(request, 'login.html',{'msg':'用户名或密码错误'})
    request.session['user_info'] = {'id': obj.id, 'name': obj.name}
init_permission(request,obj)
return redirect('/student/') def student(request): return render(request,'student.html') def student_add(request): return render(request, 'student_add.html')

 

3.中间件组件的整合

 

from django.utils.deprecation import MiddlewareMixin
from django.conf import settings
from django.shortcuts import redirect,HttpResponse
import re

class RbacMiddleware(MiddlewareMixin):
    """
    权限控制的中间件
    """

    def process_request(self, request):
        """
        权限控制
        :param request:
        :return:
        """
        # 1. 获取当前请求URL
        current_url = request.path_info

        # 1.5 白名单处理
        for reg in settings.VALID_URL:
            if re.match(reg,current_url):
                return None

        # 2. 获取当前用户session中所有的权限
        permission_list = request.session.get(settings.PERMISSION_SESSION_KEY)
        if not permission_list:
            return redirect('/login/')

        # 3. 进行权限校验
        flag = False
        for item in permission_list:
            reg = "^%s$" % item.get('permissions__url')
            if re.match(reg, current_url):
                flag = True
                break
        if not flag:
            return HttpResponse('无权访问')

 

posted @ 2018-08-20 08:47  萌哥-爱学习  阅读(177)  评论(0编辑  收藏  举报