Fork me on GitHub

Django 权限控制配置步骤

1.models下面添加权限控制信息:

class UserProfile(models.Model):
    user = models.OneToOneField(User)
    name = models.CharField(u"姓名",max_length=32)
    def __str__(self):
        return self.name

    class Meta:
        permissions = (('view_customer_list',u'可以查看用户信息'),
                       ('view_customer_info',u'可以查看客户详细信息'),
                       ('edit_own_customer_info',u'可以修改自己的客户信息'),
                       )

2.配置别名关联的URL:

url(r'^mod_customers/(\d+)/$', views.mod_customers, name='customer_detail'),

3.app下创建权限文件,根据配置的URL修改permissions.py:

from django.core.urlresolvers import resolve
from django.shortcuts import render
perm_dic = {    #第一个参数是URL,第二个是请求方法,最后是参数
    'view_customer_list': ['customer_list','GET',[]],
    # 'view_customer_info': ['customer_detail','GET',[]],
    'edit_own_customer_info': ['customer_detail','POST',['test']],
    'view_staff_list': ['staff_list','GET',[]],
}

4.前端配置别名url的a标签:

<td style="text-align:center"><a href="{% url 'customer_detail' student.id %}">{{ student.id }}</a></td>

5.permission文件下添加装饰器:

def check_permission(func): #将函数自身func传入
    def wrapper(*args,**kwargs): #如果有参数args,kwargs
        print("start check permission")
        if perm_check(*args,**kwargs) is not True:#没权限
            return render(args[0],'no_permission.html')
        perm_check(*args,**kwargs)  #在执行函数之前,检查是否有权限
        return func(*args,**kwargs) #执行被装饰的函数
    return wrapper

6.将权限与限制关联,permission文件下:

def perm_check(*args,**kwargs):
    request = args[0]
    url_resovle_obj = resolve(request.path_info)    #resolve将域名解析为URL的别名
    current_url_namespace = url_resovle_obj.url_name    #获取URL别名
    #app_name = url_resovle_obj.app_name #use this name later
    print("url namespace:",current_url_namespace)
    matched_flag = False # find matched perm item
    matched_perm_key = None
    if current_url_namespace is not None:#if didn't set the url namespace, permission doesn't work
        print("find perm...")
        for perm_key in perm_dic:
            perm_val = perm_dic[perm_key]
            if len(perm_val) == 3:#otherwise invalid perm data format
                url_namespace,request_method,request_args = perm_val
                print(url_namespace,current_url_namespace)
                if url_namespace == current_url_namespace: #matched the url
                    if request.method == request_method:#matched request method
                        if not request_args:#if empty , pass
                            matched_flag = True
                            matched_perm_key = perm_key
                            print('mtched...')
                            break #no need looking for  other perms
                        else:
                            for request_arg in request_args: #might has many args
                                request_method_func = getattr(request,request_method) #get or post mostly
                                #print("----->>>",request_method_func.get(request_arg))
                                if request_method_func.get(request_arg) is not None:
                                    matched_flag = True # the arg in set in perm item must be provided in request data
                                else:
                                    matched_flag = False
                                    print("request arg [%s] not matched" % request_arg)
                                    break #no need go further
                            if matched_flag == True: # means passed permission check ,no need check others
                                print("--passed permission check--")
                                matched_perm_key = perm_key
                                break

    else:#permission doesn't work
        return True

    if matched_flag == True:
        #pass permission check
        perm_str = "crm.%s" %(matched_perm_key)
        if request.user.has_perm(perm_str):
            print("\033[42;1m--------passed permission check----\033[0m")
            return True
        else:
            print("\033[41;1m ----- no permission ----\033[0m")
            print(request.user,perm_str)
            return False
    else:
        print("\033[41;1m ----- no matched permission  ----\033[0m")

7.在想要权限限制的方法前,添加@check_permission装饰器:

@check_permission
def staff(request):
    if request.method == 'POST':
    staff_obj = User.objects.all()
    return render(request,'staff.html',{'staff_obj':staff_obj})
posted @ 2016-06-02 13:22  stefan.liu  阅读(760)  评论(0编辑  收藏  举报