3 权限粒度控制到按钮

不同用户登录系统时候,根据权限不同来控制是否限制指定按钮

第一步:修改表结构

class Permission(models.Model):
    """
    权限表
    """
    title = models.CharField(verbose_name='标题', max_length=32)
    url = models.CharField(verbose_name='含正则的URL', max_length=128)
    name = models.CharField(verbose_name="URL别名", max_length=32, unique=True)

    menu = models.ForeignKey(verbose_name='所属菜单', to='Menu', null=True, blank=True, help_text='null表示不是菜单;非null表示是二级菜单',
                             on_delete=models.CASCADE)

    pid = models.ForeignKey(verbose_name="关联的权限", to="Permission", null=True, blank=True, related_name="parents",
                            help_text="对于非菜单权限需要选择一个可以成为菜单的权限,用于做默认展开和选中菜单",
                            on_delete=models.CASCADE)

    def __str__(self):
        return self.title

image


第二步:修改初始化信息

init_permission.py
from django.conf import settings


def init_permission(current_user, request):
    """
    用户权限信息的初始化
    :param current_user:当前用户对象
    :param request:当前用户的请求数据
    :return:
    """
    # 根据当前用户信息获取此用户拥有的所有权限
    permission_queryset = current_user.roles.filter(permissions__isnull=False).values(
        "permissions__id",
        "permissions__title",
        "permissions__url",
        "permissions__name",
        "permissions__pid__id",
        "permissions__pid__title",
        "permissions__pid__url",
        "permissions__menu__id",
        "permissions__menu__title",
        "permissions__menu__icon", ).distinct()

    # 获取权限+菜单信息,写入session
    menu_dict = {}
    permissions_dict = {}
    for item in permission_queryset:
        permissions_dict[item["permissions__name"]] = {
                "id": item["permissions__id"],
                "title": item["permissions__title"],
                "url": item["permissions__url"],
                "pid": item['permissions__pid__id'],
                "p_title": item["permissions__pid__title"],
                "p_url": item["permissions__pid__url"]
            }

        menu_id = item["permissions__menu__id"]
        if not menu_id:
            continue
        node = {"id": item["permissions__id"], "title": item["permissions__title"], "url": item["permissions__url"]}
        if menu_id in menu_dict:
            menu_dict[menu_id]["children"].append(node)
        else:
            menu_dict[menu_id] = {
                "title": item["permissions__menu__title"],
                "icon": item["permissions__menu__icon"],
                "children": [node, ]
            }

    request.session[settings.PERMISSION_SESSION_KEY] = permissions_dict
    request.session[settings.MENU_SESSION_KEY] = menu_dict


第三步:修改中间件

rbac.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import re
from django.utils.deprecation import MiddlewareMixin
from django.shortcuts import HttpResponse
from django.conf import settings


class RbacMiddleware(MiddlewareMixin):
    """
    用户权限信息校验
    """

    def process_request(self, request):
        """
        当用户请求刚进入时候出发执行
        :param request:
        :return:
        """

        """
        1. 获取当前用户请求的URL
        2. 获取当前用户在session中保存的权限列表 ['/customer/list/','/customer/list/(?P<cid>\\d+)/']
        3. 权限信息匹配
        """
        current_url = request.path_info
        for valid_url in settings.VALID_URL_LIST:
            if re.match(valid_url, current_url):
                # 白名单中的URL无需权限验证即可访问
                return None

        permission_dict = request.session.get(settings.PERMISSION_SESSION_KEY)
        if not permission_dict:
            return HttpResponse('未获取到用户权限信息,请登录!')

        flag = False
        url_record = [
            {"title": "首页", "url": "#"}
        ]

        for item in permission_dict.values():
            reg = "^%s$" % item["url"]
            if re.match(reg, current_url):
                flag = True
                request.current_selected_permission = item["pid"] or item["id"]
                if not item["pid"]:
                    url_record.extend([{"title": item["title"], "url": item["url"], "class":"active"}])
                else:
                    url_record.extend([
                        {"title": item["p_title"], "url": item["p_url"]},
                        {"title": item["title"], "url": item["url"], "class":"active"},
                    ])
                request.url_record = url_record
                break
        if not flag:
            return HttpResponse('无权访问')


第四步:filter过滤

rbac.py
from django.template import Library
from django.conf import settings

register = Library()

@register.filter
def has_permission(request, name):
    """最多只能传2个参数,做权限过滤"""
    if name in request.session[settings.PERMISSION_SESSION_KEY]:
        return True

第五步:模板应用

customer_list.html
{% extends 'layout.html' %}
{% load rbac %}

{% block content %}

    <div class="luffy-container">
        <div class="btn-group" style="margin: 5px 0">

            {% if request|has_permission:"customer_add" %}
                <a class="btn btn-default" href="/customer/add/">
                    <i class="fa fa-plus-square" aria-hidden="true"></i> 添加客户
                </a>
            {% endif %}
            {% if request|has_permission:"customer_import" %}
                <a class="btn btn-default" href="/customer/import/">
                    <i class="fa fa-file-excel-o" aria-hidden="true"></i> 批量导入
                </a>
            {% endif %}

        </div>
        <table class="table table-bordered table-hover">
            <thead>
            <tr>
                <th>ID</th>
                <th>客户姓名</th>
                <th>年龄</th>
                <th>邮箱</th>
                <th>公司</th>

                {% if request|has_permission:"customer_del" or request|has_permission:"customer_edit" %}
                    <th>选项</th>
                {% endif %}

            </tr>
            </thead>
            <tbody>
            {% for row in data_list %}
                <tr>
                    <td>{{ row.id }}</td>
                    <td>{{ row.name }}</td>
                    <td>{{ row.age }}</td>
                    <td>{{ row.email }}</td>
                    <td>{{ row.company }}</td>

                    {% if request|has_permission:"customer_del" or request|has_permission:"customer_edit" %}
                        <td>
                            {% if request|has_permission:"customer_edit" %}
                                <a style="color: #333333;" href="/customer/edit/{{ row.id }}/">
                                    <i class="fa fa-edit" aria-hidden="true"></i></a>
                            {% endif %}
                            {% if request|has_permission:"customer_del" %}
                                <a style="color: #d9534f;" href="/customer/del/{{ row.id }}/"><i
                                        class="fa fa-trash-o"></i></a>
                            {% endif %}
                        </td>
                    {% endif %}

                </tr>
            {% endfor %}
            </tbody>
        </table>
    </div>
{% endblock %}

权限粒度控制到按钮代码下载

posted @ 2022-08-29 11:51  角角边  Views(46)  Comments(0Edit  收藏  举报