3 权限粒度控制到按钮
不同用户登录系统时候,根据权限不同来控制是否限制指定按钮
第一步:修改表结构
class Permission(models.Model):
"""
权限表
"""
title = models.CharField(verbose_name='标题', max_length=32)
url = models.CharField(verbose_name='含正则的URL', max_length=128)
name = models.CharField(verbose_name="URL别名", max_length=32, unique=True)
menu = models.ForeignKey(verbose_name='所属菜单', to='Menu', null=True, blank=True, help_text='null表示不是菜单;非null表示是二级菜单',
on_delete=models.CASCADE)
pid = models.ForeignKey(verbose_name="关联的权限", to="Permission", null=True, blank=True, related_name="parents",
help_text="对于非菜单权限需要选择一个可以成为菜单的权限,用于做默认展开和选中菜单",
on_delete=models.CASCADE)
def __str__(self):
return self.title
第二步:修改初始化信息
init_permission.py
from django.conf import settings
def init_permission(current_user, request):
"""
用户权限信息的初始化
:param current_user:当前用户对象
:param request:当前用户的请求数据
:return:
"""
# 根据当前用户信息获取此用户拥有的所有权限
permission_queryset = current_user.roles.filter(permissions__isnull=False).values(
"permissions__id",
"permissions__title",
"permissions__url",
"permissions__name",
"permissions__pid__id",
"permissions__pid__title",
"permissions__pid__url",
"permissions__menu__id",
"permissions__menu__title",
"permissions__menu__icon", ).distinct()
# 获取权限+菜单信息,写入session
menu_dict = {}
permissions_dict = {}
for item in permission_queryset:
permissions_dict[item["permissions__name"]] = {
"id": item["permissions__id"],
"title": item["permissions__title"],
"url": item["permissions__url"],
"pid": item['permissions__pid__id'],
"p_title": item["permissions__pid__title"],
"p_url": item["permissions__pid__url"]
}
menu_id = item["permissions__menu__id"]
if not menu_id:
continue
node = {"id": item["permissions__id"], "title": item["permissions__title"], "url": item["permissions__url"]}
if menu_id in menu_dict:
menu_dict[menu_id]["children"].append(node)
else:
menu_dict[menu_id] = {
"title": item["permissions__menu__title"],
"icon": item["permissions__menu__icon"],
"children": [node, ]
}
request.session[settings.PERMISSION_SESSION_KEY] = permissions_dict
request.session[settings.MENU_SESSION_KEY] = menu_dict
第三步:修改中间件
rbac.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import re
from django.utils.deprecation import MiddlewareMixin
from django.shortcuts import HttpResponse
from django.conf import settings
class RbacMiddleware(MiddlewareMixin):
"""
用户权限信息校验
"""
def process_request(self, request):
"""
当用户请求刚进入时候出发执行
:param request:
:return:
"""
"""
1. 获取当前用户请求的URL
2. 获取当前用户在session中保存的权限列表 ['/customer/list/','/customer/list/(?P<cid>\\d+)/']
3. 权限信息匹配
"""
current_url = request.path_info
for valid_url in settings.VALID_URL_LIST:
if re.match(valid_url, current_url):
# 白名单中的URL无需权限验证即可访问
return None
permission_dict = request.session.get(settings.PERMISSION_SESSION_KEY)
if not permission_dict:
return HttpResponse('未获取到用户权限信息,请登录!')
flag = False
url_record = [
{"title": "首页", "url": "#"}
]
for item in permission_dict.values():
reg = "^%s$" % item["url"]
if re.match(reg, current_url):
flag = True
request.current_selected_permission = item["pid"] or item["id"]
if not item["pid"]:
url_record.extend([{"title": item["title"], "url": item["url"], "class":"active"}])
else:
url_record.extend([
{"title": item["p_title"], "url": item["p_url"]},
{"title": item["title"], "url": item["url"], "class":"active"},
])
request.url_record = url_record
break
if not flag:
return HttpResponse('无权访问')
第四步:filter过滤
rbac.py
from django.template import Library
from django.conf import settings
register = Library()
@register.filter
def has_permission(request, name):
"""最多只能传2个参数,做权限过滤"""
if name in request.session[settings.PERMISSION_SESSION_KEY]:
return True
第五步:模板应用
customer_list.html
{% extends 'layout.html' %}
{% load rbac %}
{% block content %}
<div class="luffy-container">
<div class="btn-group" style="margin: 5px 0">
{% if request|has_permission:"customer_add" %}
<a class="btn btn-default" href="/customer/add/">
<i class="fa fa-plus-square" aria-hidden="true"></i> 添加客户
</a>
{% endif %}
{% if request|has_permission:"customer_import" %}
<a class="btn btn-default" href="/customer/import/">
<i class="fa fa-file-excel-o" aria-hidden="true"></i> 批量导入
</a>
{% endif %}
</div>
<table class="table table-bordered table-hover">
<thead>
<tr>
<th>ID</th>
<th>客户姓名</th>
<th>年龄</th>
<th>邮箱</th>
<th>公司</th>
{% if request|has_permission:"customer_del" or request|has_permission:"customer_edit" %}
<th>选项</th>
{% endif %}
</tr>
</thead>
<tbody>
{% for row in data_list %}
<tr>
<td>{{ row.id }}</td>
<td>{{ row.name }}</td>
<td>{{ row.age }}</td>
<td>{{ row.email }}</td>
<td>{{ row.company }}</td>
{% if request|has_permission:"customer_del" or request|has_permission:"customer_edit" %}
<td>
{% if request|has_permission:"customer_edit" %}
<a style="color: #333333;" href="/customer/edit/{{ row.id }}/">
<i class="fa fa-edit" aria-hidden="true"></i></a>
{% endif %}
{% if request|has_permission:"customer_del" %}
<a style="color: #d9534f;" href="/customer/del/{{ row.id }}/"><i
class="fa fa-trash-o"></i></a>
{% endif %}
</td>
{% endif %}
</tr>
{% endfor %}
</tbody>
</table>
</div>
{% endblock %}
权限粒度控制到按钮代码下载
