【django之权限组件】
一、需求分析
RBAC(Role-Based Access Control,基于角色的访问控制),就是用户通过角色与权限进行关联。简单地说,一个用户拥有若干角色,一个角色拥有若干权限。这样,就构造成“用户-角色-权限”的授权模型。在这种模型中,用户与角色之间,角色与权限之间都是多对多的关系。
一个可访问的含正则表达式的url就是一个权限,利用角色控制访问url。
二、功能实现
1、目录树
2、数据库设计
用户组,角色,权限
from django.db import models# Create your models here.class User(models.Model):name=models.CharField(max_length=32)pwd=models.CharField(max_length=32)roles=models.ManyToManyField("Role")def __str__(self):return self.nameclass Role(models.Model):title=models.CharField(max_length=32)permissions=models.ManyToManyField("Permission")def __str__(self):return self.titleclass Permission(models.Model):url=models.CharField(max_length=32)title=models.CharField(max_length=32,default="")p_group=models.ForeignKey("PermissionGroup",default=1)code=models.CharField(max_length=32,default="list",)def __str__(self):return self.titleclass PermissionGroup(models.Model):name=models.CharField(max_length=32)def __str__(self):return self.name
models.py
3、登录验证
将登录用户的所有权限信息注入到session中
rbac/service/initail.py
def permission_session(user,request):# 将当前user的所有权限注入session中# 方式1:#permissions = user.roles.all().values("permissions__url").distinct()# permission_list = []# for i in permissions:# permission_list.append(i.get("permissions__url"))# # request.session["permission_list"] = permission_list# 方式2:permissions = user.roles.all().values("permissions__url","permissions__p_group_id","permissions__code").distinct()# print(permissions) permission_dict={}for permission in permissions:p_group_id=permission.get("permissions__p_group_id")if p_group_id in permission_dict:permission_dict[p_group_id]["urls"].append(permission.get("permissions__url"))permission_dict[p_group_id]["codes"].append(permission.get("permissions__code"))else:permission_dict[p_group_id]={"urls":[permission.get("permissions__url")],"codes":[permission.get("permissions__code")],}print(permission_dict)request.session["permission_dict"]=permission_dict
4、基于中间件做权限校验
功能: 1.白名单验证;
2.验证是否已经写入session,即:是否已经登录;
3.当前访问的url与当前用户的权限url进行匹配验证,并在request中写入code信息
settings.py
MIDDLEWARE = ['django.middleware.security.SecurityMiddleware','django.contrib.sessions.middleware.SessionMiddleware','django.middleware.common.CommonMiddleware','django.middleware.csrf.CsrfViewMiddleware','django.contrib.auth.middleware.AuthenticationMiddleware','django.contrib.messages.middleware.MessageMiddleware','django.middleware.clickjacking.XFrameOptionsMiddleware',"rbac.service.rbac.PermissionValid",]
rabc.py
from django.utils.deprecation import MiddlewareMixinfrom django.shortcuts import HttpResponse,redirect,renderclass PermissionValid(MiddlewareMixin):def process_request(self,request):valid_url=["/login/","/reg/","/admin/.*"] #白名单import refor url in valid_url:url="^%s$"%urlret=re.match(url,request.path_info)if ret:return None#.验证是否已经写入session,即:是否已经登录if not request.session.get("user_id"):return redirect("/login/")current_path = request.path_info# 方式1:# permission_list = request.session.get("permission_list")# # import re# # flag = False# for permission in permission_list:# permission="^%s$"%permission# ret = re.match(permission, current_path)# if ret:# flag = True# break# if not flag:# return HttpResponse("无权访问")# 方式2:#与当前访问的url与权限url进行匹配验证,并在request中写入code信息,permission_dict = request.session.get("permission_dict")import reflag = Falsefor item in permission_dict.values():urls=item["urls"]for permission in urls:permission="^%s$"%permissionret = re.match(permission, current_path)if ret:print("codes",item.get("codes"))request.codes=item.get("codes")return Nonereturn HttpResponse("无权访问")
三、代码
from django.shortcuts import render,HttpResponse,redirect# Create your views here.from rbac.models import *class PermissionCode(object):def __init__(self,codes):self.codes=codesdef list(self):return "list" in self.codesdef add(self):return "add" in self.codesdef edit(self):return "edit" in self.codesdef delete(self):return "del" in self.codesdef users(request):user_list=User.objects.all()per=PermissionCode(request.codes)return render(request,"users.html",locals())def add_users(request):return HttpResponse("添加用户")def change_users(request,id):return HttpResponse("编辑用户") def delete_users(request,id):return HttpResponse("删除用户")def login(request):if request.method=="POST":user=request.POST.get("user")pwd=request.POST.get("pwd")user=User.objects.filter(name=user,pwd=pwd).first()if user:request.session["user_id"]=user.pkfrom rbac.service.initail import permission_sessionpermission_session(user,request)return HttpResponse("登录成功")return render(request,"login.html")
app01/views.py
def permission_session(user,request):# 将当前user的所有权限注入session中# 方式1:#permissions = user.roles.all().values("permissions__url").distinct()# permission_list = []# for i in permissions:# permission_list.append(i.get("permissions__url"))# # request.session["permission_list"] = permission_list# 方式2:permissions = user.roles.all().values("permissions__url","permissions__p_group_id","permissions__code").distinct()# print(permissions) permission_dict={}for permission in permissions:p_group_id=permission.get("permissions__p_group_id")if p_group_id in permission_dict:permission_dict[p_group_id]["urls"].append(permission.get("permissions__url"))permission_dict[p_group_id]["codes"].append(permission.get("permissions__code"))else:permission_dict[p_group_id]={"urls":[permission.get("permissions__url")],"codes":[permission.get("permissions__code")],}print(permission_dict)request.session["permission_dict"]=permission_dict
rabc/service/initail.py
from django.utils.deprecation import MiddlewareMixinfrom django.shortcuts import HttpResponse,redirect,renderclass PermissionValid(MiddlewareMixin):def process_request(self,request):valid_url=["/login/","/reg/","/admin/.*"] #白名单import refor url in valid_url:url="^%s$"%urlret=re.match(url,request.path_info)if ret:return None#.验证是否已经写入session,即:是否已经登录if not request.session.get("user_id"):return redirect("/login/")current_path = request.path_info# 方式1:# permission_list = request.session.get("permission_list")# # import re# # flag = False# for permission in permission_list:# permission="^%s$"%permission# ret = re.match(permission, current_path)# if ret:# flag = True# break# if not flag:# return HttpResponse("无权访问")# 方式2:#与当前访问的url与权限url进行匹配验证,并在request中写入code信息,permission_dict = request.session.get("permission_dict")import reflag = Falsefor item in permission_dict.values():urls=item["urls"]for permission in urls:permission="^%s$"%permissionret = re.match(permission, current_path)if ret:print("codes",item.get("codes"))request.codes=item.get("codes")return Nonereturn HttpResponse("无权访问")
rabc/service/rabc.py
from django.contrib import admin# Register your models here.from .models import *admin.site.register(User) admin.site.register(Role)class PermissionConfig(admin.ModelAdmin):list_display = ["title","url","p_group","code"] admin.site.register(Permission,PermissionConfig) admin.site.register(PermissionGroup)
rabc/admin.py
from django.db import models# Create your models here.class User(models.Model):name=models.CharField(max_length=32)pwd=models.CharField(max_length=32)roles=models.ManyToManyField("Role")def __str__(self):return self.nameclass Role(models.Model):title=models.CharField(max_length=32)permissions=models.ManyToManyField("Permission")def __str__(self):return self.titleclass Permission(models.Model):url=models.CharField(max_length=32)title=models.CharField(max_length=32,default="")p_group=models.ForeignKey("PermissionGroup",default=1)code=models.CharField(max_length=32,default="list",)def __str__(self):return self.titleclass PermissionGroup(models.Model):name=models.CharField(max_length=32)def __str__(self):return self.name
rabc/models.py
INSTALLED_APPS = ['django.contrib.admin','django.contrib.auth','django.contrib.contenttypes','django.contrib.sessions','django.contrib.messages','django.contrib.staticfiles','app01.apps.App01Config',"rbac.apps.RbacConfig", ]MIDDLEWARE = ['django.middleware.security.SecurityMiddleware','django.contrib.sessions.middleware.SessionMiddleware','django.middleware.common.CommonMiddleware','django.middleware.csrf.CsrfViewMiddleware','django.contrib.auth.middleware.AuthenticationMiddleware','django.contrib.messages.middleware.MessageMiddleware','django.middleware.clickjacking.XFrameOptionsMiddleware',"rbac.service.rbac.PermissionValid",]
settings.py
from django.conf.urls import url from django.contrib import adminfrom app01 import views urlpatterns = [url(r'^admin/', admin.site.urls),url(r'^login/$', views.login),url(r'^users/$', views.users),url(r'^users/add/$', views.add_users),url(r'^users/(\d+)/change/$', views.change_users),url(r'^users/(\d+)/delete/$', views.delete_users), ]
urls.py
<!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title> </head> <body><form action="" method="post">{% csrf_token %}用户名:<input type="text" name="user">密码:<input type="text" name="pwd"><input type="submit"> </form></body> </html>
templates/login.html
<!DOCTYPE html> <html lang="en"> <head><meta charset="UTF-8"><title>Title</title><!-- 最新版本的 Bootstrap 核心 CSS 文件 --> <link rel="stylesheet" href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> </head> <body><div class="container"><h3>查看用户</h3><div class="col-md-6">{% if per.add %}<a href="/users/add/" class="btn btn-primary">添加用户</a>{% endif %}<table class="table table-borderd table-striped col-md-offset-4">{% for user in user_list %}<tr><td>{{ forloop.counter }}</td><td>{{ user.name }}</td>{% if per.edit %}<td><a href="/users/{{ user.pk }}/change" class="btn btn-success">编辑</a></td>{% endif %}{% if per.delete %}<td><a href="/users/{{ user.pk }}/delete/" class="btn btn-success">删除</a></td>{% endif %}</tr>{% endfor %}</table></div> </div></body> </html>
templates/users.html
转载于:https://www.cnblogs.com/smallmars/p/8695125.html
【django之权限组件】相关推荐
- Django框架深入了解_03(DRF之认证组件、权限组件、频率组件、token)
阅读目录 一.认证组件 使用方法: token简单描述: 应用token编写登录接口: 二.权限组件 使用方法: 三.频率组件 使用方法: 一.认证组件 回到顶部 使用方法: ①写一个认证类,新建文件 ...
- Django DRF认证组件/权限组件/序列化组件综合总结(完整版)
本代码完成的功能是: 1.根据token判断用户登录状态,然后提示用户是否登陆, 2.用户登录后,根据用户类型判断用户是否有权限查看资料 使用rest_framework一定要在配置文件设置先设置 ' ...
- Django框架之DRF 认证组件源码分析、权限组件源码分析、频率组件源码分析
阅读目录 认证组件 权限组件 频率组件 认证组件 权限组件 频率组件
- Django框架(二十)—— Django rest_framework-认证组件
Django rest_framework-认证组件 一.什么是认证 只有认证通过的用户才能访问指定的url地址,比如:查询课程信息,需要登录之后才能查看,没有登录,就不能查看,这时候需要用到认证组件 ...
- 1、rbac权限组件-初识, 中间件校验1
1.权限组件rbac 1.什么是权限 1 项目与应用 2 什么是权限? 一个包含正则表达式url就是一个权限 who what how ---------->True or Flase 2.版本 ...
- rbac权限组件整合到实际项目的全过程详述
rbac简介 项目的GitHub地址 欢迎Download&Fork&Star:https://github.com/Wanghongw/CombineRbac 另外,本文只简单介绍一 ...
- CRM 开发 - 权限组件/stark组件/CRM业务
CRM开发(系列) - 武沛齐 - 博客园CRM,客户关系管理系统(Customer Relationship Management).企业用CRM技术来管理与客户之间的关系,以求提升企业成功的管理方 ...
- Rest-framework之drf认证组件,权限组件+不存数据库的token认证
Rest-framework之drf认证组件,权限组件 django中一个请求时一个reques,如果在哪个位置改了request,那么到了后面就是修改过的request 昨日回顾: 认证: -写一个 ...
- drf-频率组件 权限组件
setting中的配置: REST_FRAMEWORK = {# 全局使用认证组件配置'DEFAULT_AUTHENTICATION_CLASSES': ['app01.my_author.Token ...
最新文章
- android摄像头方向与屏方向,Android通过ExifInterface判断Camera图片方向的方法
- Linux内核学习资料
- 七牛云徐晶:低延迟互动时代看好WebRTC和SRT
- No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK?
- 高级JAVA码农必须搞清楚它们的区别:instanceof、isInstance、isAssignableFrom
- Python网络编程中的select 和 poll I/O复用的简单使用
- GridView 添加分害线
- POJ 1159 - Palindrome 优化空间LCS
- 根据varchar排列是怎么比大小的_骨架大小怎么看?肩宽、胸腔宽、胯宽是关键,加码大骨架穿搭技巧...
- linkedin第三方授权登录
- MD5,SHA1,SHA256,NTLM,LM等Hash在线破解网站收集
- Excel 模拟form表单提交
- 使用Python,OpenCV构建移动文档扫描仪
- python:selenium库进行网易云歌曲匹配播放
- Linux下不小心按下Ctrl+Z的解决
- 华为手机_text是什么文件_text函数怎么使用
- 12. webpack4压缩css
- TLD5097EL-ASEMI代理英飞LED驱动TLD5097EL
- 质量追溯系统意义在哪?
- AcWing 1101. 献给阿尔吉侬的花束(bfs)