对于Django而言,虽然自带了一些基本的通用权限限制,但现实中,可能我们更希望自己去定义业务权限划分

 

 

Django对于权限这块的部分验证方法

1 user = request.user
2 user.is_superuser  #是否是超级管理员
3 user.s_anonymous()  #是否匿名用户,及未登录用户
4 user.groups.select_related()  #获取用户对应的组角色对象,
5 #当获取到group后,通过group.name获取组名,

 

下面是一段完整的权限控制例子

  1 #!/usr/bin/env python
  2 # encoding:utf8
  3 
  4 from django.core.urlresolvers import resolve
  5 from django.shortcuts import render
  6 
  7 
  8 # 定义角色权限
  9 roles = {
 10     'consultant': ['Customer', 'ConsultRecord'],
 11     'teachers': ['Course', 'ClassList', 'CourseRecord', 'StudyRecord'],
 12     'students':  ['StudyRecord'],
 13 }
 14 # 权限映射
 15 permission_map = {
 16     'view_home': ['index', 'GET', []],  # 展示对应对可操作对象
 17     'view_object': ['admin_controller', 'GET', ['show']],  # 查看具体对象对数据信息
 18     'edit_object': ['admin_controller', 'POST', ['show', 'id']],  # 具有编辑该对象对权限
 19     'add_object_view': ['admin_controller', 'GET', ['add']],  # 进入添加页面,但不表示可以进行修改,该权限用于对表格显示字段过长,显示不全,可以进入该页面查看
 20     'add_object': ['admin_controller', 'POST', ['add']],  # 具有添加该对象对权限
 21     'delete_object': ['admin_controller', 'POST', ['show', 'data']],  # 具有删除该对象对权限
 22 }
 23 
 24 
 25 def check_process(*args, **kwargs):
 26     request = args[0]
 27     user = request.user
 28     if user.is_superuser:
 29         return True
 30     resolver_match_obj = resolve(request.path)
 31     url_name = resolver_match_obj.url_name
 32     args = list(resolver_match_obj.args)
 33     args.extend(request.GET)
 34     args.extend(request.POST)
 35     print('begin checking permission ', resolver_match_obj)
 36     if url_name:
 37         is_match = False
 38         match_perm = None
 39         for permission in permission_map:
 40             permission_action = permission_map[permission]  # 获取url对应的权限动作
 41             print('----------------url action: ', permission_action)
 42             if len(permission_action) == 3:  # 为保障下面语句执行不为语法而被破坏,加上该条件,强制性判断,否则放行
 43                 define_url_name, define_request_method, define_others = permission_action
 44                 if url_name == define_url_name:
 45                     print("match url name: ", define_url_name)
 46                     if request.method == define_request_method:
 47                         print("match method: ", define_request_method)
 48                         if define_others:  # 如果定义了具体参数匹配,则继续匹配参数
 49                             print("check others: ", permission, define_others)
 50                             for arg in define_others:
 51                                 if hasattr(request, str(define_request_method)):
 52                                     request_method = getattr(request, str(define_request_method))  # 获取对应的请求方法对象
 53                                     if hasattr(request_method, arg) or arg in args:  # 如果能匹配参数,则标记匹配
 54                                         is_match = True
 55                                         print("others match: ", arg)
 56                                     else:
 57                                         print("others not match: ", arg)
 58                                         is_match = False
 59                             if is_match:
 60                                 print("others match done: ", permission, permission_action)
 61                                 match_perm = permission
 62                                 break
 63                         else:
 64                             is_match = True
 65                             match_perm = permission
 66                             print("url check done ...", permission, permission_action)
 67                             break
 68             else:
 69                 print('please check the define rules, maybe has some problem')
 70                 return True  # 如果定义的动作不完整,为避免新增权限的缺陷影响业务,这种错误应该放行处理
 71     else:
 72         return True  # 如果没有找到对应的url name则放行处理
 73 
 74     if is_match:
 75         print("begin check user permission ...")
 76         if user.is_anonymous():
 77             print("user has not login ...")
 78             return True  # 如果用户是匿名,说明该页面可能不需要权限控制,放行处理,假如该view需要登录认证,那么再次权限处理时,不会在此处理
 79         elif user.has_perm('%s.%s' % (__package__, match_perm)):
 80             groups = user.groups.select_related()
 81             model_list = []
 82             for group in groups:
 83                 if group.name in roles:
 84                     model_list.extend(roles[group.name])
 85             if args and len(args) > 1:  # 如果URL获取到参数,则对参数进行比较
 86                 access_model = args[0]
 87                 if access_model not in model_list:  # 该操作主要拦截,直接使用URL方式而非超链接,尝试指定不同model访问其它数据
 88                     return False
 89                 return True
 90             return model_list if model_list else True  # 如果model_list为空,且该用户还有权限,那么只有超级用户才有这种特权了
 91     return False
 92 
 93 
 94 def decorator(func):
 95     def wrapper(*args, **kwargs):
 96         check_result = check_process(*args, **kwargs)
 97         if not check_result:
 98             render_respond = render(args[0], '403.html')
 99             render_respond.status_code = 403  # 修改头部信息状态码
100             print("permission refused ...")
101             return render_respond
102         if type(check_result) is list:  # 该参数仅在本次view中可能有用,所以在return时需要尝试捕获,如果出错,则尝试移除该key,再返回,再有其它错误,就可以排除是该权限控制产生的了
103             kwargs['model_list'] = check_result
104         print('permission check passed...')
105         try:
106             return func(*args, **kwargs)
107         except TypeError:
108             kwargs.pop('model_list')
109             return func(*args, **kwargs)
110     return wrapper