權限組件之將登錄用戶權限寫入到session中
阿新 • • 發佈:2018-05-12
dmi AC 用戶權限列表 urn append create users .post []
1.登入admin,將銷售員的權限改成只能查看訂單列表
2.urls.py
3.views.py 這樣的情況任何人都能訪問
思考問題,怎麽給頁面加權限????
將登錄用戶權限寫入到session中
4.將登入用戶權限列表寫入到session裏面。 session = { "user_id":1, "permission_list":[‘/users/‘, ‘/orders/‘] }
5.訪問用戶列表、用戶訂單的時候,去session裏面取值 (權限列表)
判斷條件: 只要訪問的url 在權限列表裏面,則可以訪問。
6.那麽問題來了,如果url有正則(\d+),怎麽判斷呢???
# current_path = request.path_info # /users/edit/3
# permission_list = request.session["permission_list"] # [‘/users/‘,‘/orders/‘,‘/users/edit/(\d+)‘]
# if current_path in permission_list: # 無法判斷了
# pass
正則匹配
7.match方法
匹配成功的返回值
8.users
orders 訂單也一樣的判斷
代碼:
from django.shortcuts importViews.pyrender,redirect,HttpResponse # Create your views here. from rbac.models import * def login(request): if request.method=="GET": return render(request,"login.html") else: user=request.POST.get("user") pwd=request.POST.get("pwd") user=UserInfo.objects.filter(name=user,pwd=pwd).first()if user: # 驗證成功之後做什麽? request.session["user_id"]=user.pk # 當前登錄用戶的所有權限 permission_info=user.roles.all().values("permissions__url","permissions__title").distinct() temp=[] for i in permission_info: temp.append(i["permissions__url"]) request.session["permission_list"]=temp # {"user_id":1,"permission_list":[‘/users/‘,‘/orders/‘]} return HttpResponse("登錄成功!") else: return redirect("/login/") def users(request): current_path = request.path_info # /users/edit/3 permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("沒有權限") return HttpResponse("用戶列表") def orders(request): current_path = request.path_info # /users/edit/3 permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("沒有權限") return HttpResponse("訂單列表")
中間件
1.問題:判斷代碼寫到單獨的一個文件中,然後中間件中引入。避免太多重復
2.應該繼承什麽呢?? 看源碼
3.
4.
5.
6.
7.
代碼:
from django.utils.deprecation import MiddlewareMixin from django.shortcuts import redirect,HttpResponse,render class M1(MiddlewareMixin): def process_request(self,request): pass #/admin/login/?next=/admin/ current_path = request.path_info valid_url_menu=["/login/","/reg/","/admin/.*"] import re for valid_url in valid_url_menu: ret=re.match(valid_url,current_path) if ret: return None permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("沒有權限")s.py
8.接下來訪問login也沒有權限。(加權限的url多,所有應該在中間件s.py文件中定義白訂單)
9.
10.admin的路徑會自動改變
直接跳轉
11.白名單路徑寫死了,應該用正則。
權限組件之將登錄用戶權限寫入到session中