#基础知识 #rest framwork 的内置admin的权限控制中,默认为每个model生成了3个权限: add update delete #将信息保存在内置的content_type表中,表中保存了model所在的app 和model的三个权限 #admin的权限管理系统由内置的三张表组成 user group permission 三张表之间的关系又由另外3张表来连接 #他们的关系如下图 #利用内置权限管理定制自己所需要的权限系统的方法 #只需做一些稍微的修改,便可以使用内置的权限系统,为自己所用了 #1 写自己的user表,继承AbstractUser,可以添加额外的字段,但默认已经有了用户名和密码 class Manager(AbstractUser): mobile_number = models.CharField(max_length=20, verbose_name='手机号') #定制需要的登陆验证方法,默认的登陆验证是用户名和密码 class CustomBackend(ModelBackend): """ 定义用户登录方式(手机号/邮箱登录) """ def authenticate(self, request, username=None, password=None, **kwargs): try: manager = Manager.objects.get(Q(mobile_number=username) | Q(email=username)) if manager.check_password(password): return manager else: raise ValidationError('用户名或密码错误', code=status.HTTP_400_BAD_REQUEST) except Exception as e: raise ValidationError('用户名或密码错误', code=status.HTTP_400_BAD_REQUEST) #由于默认只有增改删3个权限,我们要为它添加一个查看的权限,为此我们要添加自定义权限 #在model中添加如下信息 class Kids(models.Model): class Meta: permissions = ( ('view_kids_list', '查看儿童信息表'), ) #为用户分配权限 #检验用户是否有的权限 class KidsViewSet() permission_classes = (permissions.DjangoModelPermissions,) #添加权限限制 def list(self, request, *args, **kwargs): user = request.user if user.has_perm('kids.view_kids_list'): #‘app名.权限名’ return super(KidsViewSet, self).list(request, *args, **kwargs) else: data = {'detail': '没有权限'} return Response(data, status=status.HTTP_403_FORBIDDEN) #模仿admin修改密码 #加密以及解密方法 class ManagerPasswordSerializer(serializers.Serializer): #添加额外字段的方法 old_password = serializers.CharField(source='my_field') password = serializers.CharField(required=True) class Meta: model = Manager fields = '__all__'
class ManagerPasswordViewSet(mixins.UpdateModelMixin, viewsets.GenericViewSet): """ 用户修改密码接口 """ queryset = Manager.objects.all() versioning_class = URLPathVersioning serializer_class = serializers.ManagerPasswordSerializer def update(self, request, version, *args, **kwargs): data = request.data new_password = data['password'] old_password = data['old_password'] from django.contrib.auth.hashers import check_password, make_password #验证旧密码是否正确 username = request.user.username password = Manager.objects.filter(username=username).values('password') if check_password(old_password, password[0]['password']): #修改为新密码 Manager.objects.filter(username=username).update(password=make_password(new_password)) return Response('修改成功', status=status.HTTP_200_OK) else: return Response('密码输入错误', status=status.HTTP_400_BAD_REQUEST) #最后,只要给用户分配了相应的权限,就可以轻松的拥有一套权限系统啦 #可以在用户登陆时给用户发送一个权限菜单 #思路是: #1 新建一个菜单表,存储一级二级菜单的信息,每个对应content_type表中的每个model #2 用户登陆时获取用户的权限信息(具体形式是对哪些model的什么权限),在全部的权限(菜单表)中筛选出用户对哪些model具有权限,再拼接出url, #3 按菜单表中的信息形成嵌套层级关系,最后返回给用户菜单信息 class Menu(models.Model): """ 用户权限菜单表 """ content_model = models.ForeignKey(ContentType, null=True) first_menu_name = models.CharField(max_length=100, null=True) second_menu_name = models.CharField(max_length=100, null=True) second_menu_parent = models.ForeignKey('Menu', null=True) second_menu_url = models.URLField(null=True) create_date = models.DateTimeField(verbose_name='申请日期', default=datetime.now, null=True) def __str__(self): return self.id class Meta: verbose_name = "菜单" verbose_name_plural = verbose_name def list(self, request, *args, **kwargs): # 获取域名和版本 url = request.get_host() version = request.version # 用户所有的model权限 permission_list = request.user.get_all_permissions() username = request.user.username user_model = set() for i in permission_list: model = i.split('_')[-1] user_model.add(model) user_model1 = list(user_model) first_info = Menu.objects.filter(content_model__model__in=user_model1, first_menu_name__isnull=False, second_menu_url__isnull=False).values('id', 'first_menu_name', 'second_menu_url') second_info = Menu.objects.filter(content_model__model__in=user_model1, second_menu_name__isnull=False, ).values('second_menu_name', 'second_menu_url', 'second_menu_parent_id') # 拼接完整url,替换原来的url for i in first_info: if not i['second_menu_url']: continue i['second_menu_url'] = url + '/' + version + i['second_menu_url'] for i in second_info: if not i['second_menu_url']: continue i['second_menu_url'] = url + '/' + version + i['second_menu_url'] # 形成嵌套关系 for i in first_info: i['child'] = [] for j in second_info: if i['id'] == j['second_menu_parent_id']: i['child'].append(j) first_info = list(first_info) first_info.append({'username': username}) return Response(first_info) #缺陷: 权限只能限制到表的级别,不能限制到操作action的级别
