第十三章、用戶自定義認證
13.1.用戶自定義認證
- class Meta:
abstract = True (不會創建表,只把字段繼承給子類)
- django加密方式:md5 + 鹽
- account
LADP:輕量級目錄賬號管理協議(集中賬號管理):通過網絡到LDAP服務器上進行驗證
- SSO:Single Sign on (單點登錄)
(1)settings.py
AUTH_USER_MODEL = 'crm.UserProfile'
(2)crm/models.py
class UserProfileManager(BaseUserManager): def create_user(self, email, name, password=None): """ Creates and saves a User with the given email, date of birth and password. """ if not email: raise ValueError('Users must have an email address') user = self.model( email=self.normalize_email(email), name=name, ) user.set_password(password) user.save(using=self._db) return user def create_superuser(self, email, name, password): """ Creates and saves a superuser with the given email, date of birth and password. """ user = self.create_user( email, password=password, name=name, ) user.is_admin = True user.save(using=self._db) return user class UserProfile(AbstractBaseUser,PermissionsMixin): email = models.EmailField( verbose_name='email address', max_length=255, unique=True, ) name = models.CharField(max_length=64) role = models.ManyToManyField(Role, blank=True, null=True) is_active = models.BooleanField(default=True) is_admin = models.BooleanField(default=False) is_staff = models.BooleanField(default=False) #創建用戶和超級用戶,關聯上面的 objects = UserProfileManager() USERNAME_FIELD = 'email' #必須要有的字段 REQUIRED_FIELDS = ['name'] def __str__(self): return self.email def has_perm(self, perm, obj=None): "Does the user have a specific permission?" # Simplest possible answer: Yes, always return True def has_module_perms(self, app_label): "Does the user have permissions to view the app `app_label`?" # Simplest possible answer: Yes, always return True def get_full_name(self): # The user is identified by their email address return self.email def get_short_name(self): # The user is identified by their email address return self.email @property def is_staff(self): "Is the user a member of staff?" # Simplest possible answer: All admins are staff return self.is_admin
(3)crm/admin.py
from django import forms from django.contrib import admin from django.contrib.auth.models import Group from django.contrib.auth.admin import UserAdmin as BaseUserAdmin from django.contrib.auth.forms import ReadOnlyPasswordHashField from crm.models import UserProfile class UserCreationForm(forms.ModelForm): """A form for creating new users. Includes all the required fields, plus a repeated password.""" password1 = forms.CharField(label='Password', widget=forms.PasswordInput) password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput) class Meta: model = UserProfile fields = ('email', 'name') #進行驗證 def clean_password2(self): # Check that the two password entries match password1 = self.cleaned_data.get("password1") password2 = self.cleaned_data.get("password2") if password1 and password2 and password1 != password2: raise forms.ValidationError("Passwords don't match") return password2 def save(self, commit=True): # Save the provided password in hashed format #繼承基類的save() user = super(UserCreationForm, self).save(commit=False) #把明文密碼改成密文 user.set_password(self.cleaned_data["password1"]) if commit: user.save() return user class UserChangeForm(forms.ModelForm): """A form for updating users. Includes all the fields on the user, but replaces the password field with admin's password hash display field. """ #把密碼改成哈希的了 password = ReadOnlyPasswordHashField() class Meta: model = UserProfile fields = ('email', 'password', 'name', 'is_active', 'is_superuser') def clean_password(self): # Regardless of what the user provides, return the initial value. # This is done here, rather than on the field, because the # field does not have access to the initial value return self.initial["password"] class UserProfileAdmin(BaseUserAdmin): # The forms to add and change user instances form = UserChangeForm add_form = UserCreationForm # The fields to be used in displaying the User model. # These override the definitions on the base UserAdmin # that reference specific fields on auth.User. list_display = ('email', 'name','is_superuser') list_filter = ('is_superuser',) fieldsets = ( (None, {'fields': ('email', 'password')}), ('Personal info', {'fields': ('name',)}), ('Permissions', {'fields': ('is_staff','is_active','role','user_permissions','groups','is_superuser')}), ) # add_fieldsets is not a standard ModelAdmin attribute. UserAdmin # overrides get_fieldsets to use this attribute when creating a user. add_fieldsets = ( (None, { 'classes': ('wide',), 'fields': ('email', 'name', 'password1', 'password2')} ), ) search_fields = ('email',) ordering = ('email',) filter_horizontal = ('role','user_permissions','groups') # Now register the new UserProfileAdmin... admin.site.register(UserProfile, UserProfileAdmin) # ... and, since we're not using Django's built-in permissions, # unregister the Group model from admin. # admin.site.unregister(Group)
第十四章、萬能通用權限框架設計
14.1.萬能通用權限框架設計
(1)kingadmin/permission_list.py
所有權限列表
# kingamdin/permission.py perm_dic = { # 'crm_table_index': ['table_index', 'GET', [], {}, ], # 可以查看CRM APP里所有數據庫表 'crm_table_list': ['table_obj_list', 'GET', [], {}], # 可以查看每張表里所有的數據 # 'crm_table_list': ['table_obj_list', 'GET', [], {'source':0,'status':0}], # 添加參數:只能訪問來源是qq和未報名的客戶 'crm_table_list_view': ['table_obj_change', 'GET', [], {}], # 可以訪問表里每條數據的修改頁 'crm_table_list_change': ['table_obj_change', 'POST', [], {}], # 可以對表里的每條數據進行修改 'crm_table_list_add_view': ['table_obj_add ', 'GET', [], {}], # 可以訪問數據增加頁 'crm_table_list_add': ['table_obj_add ', 'POST', [], {}], # 可以添加表數據 }
value[0]跟kingadmin/url.py里面的url_name一致
(2)kingadmin/permissions
# kingadmin/permissions.py # from django.core.urlresolvers import resolve from django.urls import resolve from django.shortcuts import render,redirect,HttpResponse from kingadmin.permission_list import perm_dic from django.conf import settings def perm_check(*args,**kwargs): #1.獲取當前請求的url #2.把url解析成url_name(通過resolve) #3.判斷用戶是否已登錄(user.is_authenticated()) #3.拿url_name到permission_dict去匹配,匹配時要包括請求方法和參數 #4.拿匹配到可權限key,調用user.has_perm(key) match_results = [None,] request = args[0] resolve_url_obj = resolve(request.path) #通過resolve解析出當前訪問的url_name current_url_name = resolve_url_obj.url_name print('---perm:',request.user,request.user.is_authenticated(),current_url_name) #match_flag = False match_key = None #判斷用戶是否登錄 if request.user.is_authenticated() is False: return redirect(settings.LOGIN_URL) for permission_key,permission_val in perm_dic.items(): #key和value(值有四個參數): 比如 'crm_table_index': ['table_index', 'GET', [], {}, ] per_url_name = permission_val[0] per_method = permission_val[1] perm_args = permission_val[2] perm_kwargs = permission_val[3] #如果當前訪問的url_name匹配上了權限里面定義的url_name if per_url_name == current_url_name: #url_name匹配上,接着匹配方法(post,get....) if per_method == request.method: # if not perm_args: #if no args defined in perm dic, then set this request to passed perm #逐個匹配參數,看每個參數是否都能對應的上。 args_matched = False #for args only for item in perm_args: #通過反射獲取到request.xxx函數 這里request_methon_func = request.GET/request.POST request_method_func = getattr(request,per_method) if request_method_func.get(item,None): # request字典中有此參數 args_matched = True else: print("arg not match......") args_matched = False break # 有一個參數不能匹配成功,則判定為假,退出該循環。因為可能有很多參數,必須所有參數都一樣才匹配成功 else: # perm_dic里面的參數可能定義的就是空的,就走這里 args_matched = True #匹配有特定值的參數 kwargs_matched = False for k,v in perm_kwargs.items(): request_method_func = getattr(request, per_method) arg_val = request_method_func.get(k, None) # request字典中有此參數 print("perm kwargs check:",arg_val,type(arg_val),v,type(v)) if arg_val == str(v): #匹配上了特定的參數 及對應的 參數值, 比如,需要request 對象里必須有一個叫 user_id=3的參數 kwargs_matched = True else: kwargs_matched = False break # 有一個參數不能匹配成功,則判定為假,退出該循環。 else: kwargs_matched = True match_results = [args_matched,kwargs_matched] print("--->match_results ", match_results) #列表里面的元素都為真 if all(match_results): #都匹配上了 match_key = permission_key break if all(match_results): #主要是獲取到app_name app_name, *per_name = match_key.split('_') print("--->matched ",match_results,match_key) print(app_name, *per_name) #per_obj = 例如:crm.crm_obj_list perm_obj = '%s.%s' % (app_name,match_key) print("perm str:",perm_obj) if request.user.has_perm(perm_obj): print('當前用戶有此權限') return True else: print('當前用戶沒有該權限') return False else: print("未匹配到權限項,當前用戶無權限") def check_permission(func): def inner(*args,**kwargs): if not perm_check(*args,**kwargs): request = args[0] return render(request,'kingadmin/page_403.html') return func(*args,**kwargs) return inner
獲取到表的名字的時候用到了 *per_name和split,具體用法解釋:
(3)page_403.html
{#kingadmin/templates/kingamdin/page_403.html#} {% extends 'kingadmin/base.html' %} {% block body %} <div class="row col-lg-offset-2"> <h1 style="font-size: 200px;">403</h1> <h4>You have no permission to access this page</h4> </div> {% endblock %}
(4)crm/models.py
Meta里面加入權限
class UserProfile(AbstractBaseUser,PermissionsMixin): email = models.EmailField( verbose_name='email address', max_length=255, unique=True, ) name = models.CharField(max_length=64) role = models.ManyToManyField(Role, blank=True, null=True) is_active = models.BooleanField(default=True) is_admin = models.BooleanField(default=False) is_staff = models.BooleanField(default=True) #創建用戶和超級用戶,關聯上面的 objects = UserProfileManager() USERNAME_FIELD = 'email' #必須要有的字段 REQUIRED_FIELDS = ['name'] def __str__(self): return self.email # def has_perm(self, perm, obj=None): # "Does the user have a specific permission?" # # Simplest possible answer: Yes, always # return True # # def has_module_perms(self, app_label): # "Does the user have permissions to view the app `app_label`?" # # Simplest possible answer: Yes, always # return True def get_full_name(self): # The user is identified by their email address return self.email def get_short_name(self): # The user is identified by their email address return self.email # @property # def is_staff(self): # "Is the user a member of staff?" # # Simplest possible answer: All admins are staff # return self.is_admin class Meta: permissions = ( ('crm_table_list','可以查看每張表里所有的數據'), ('crm_table_list_view','可以訪問表里每條數據的修改頁'), ('crm_table_list_change','可以對表里的每條數據進行修改'), ('crm_table_list_add_view','可以訪問數據增加頁'), ('crm_table_list_add','可以添加表數據'), )
(5)kingadmin/views.py加裝飾器
(6)admin后台管理權限
現在訪問客戶列表(還有增加修改頁面)是沒有權限的
必須在后台賦予權限才可以
再訪問就可以了
14.2.自定義權限鈎子實現
只允許用戶訪問自己創建的數據,比如只允許銷售訪問自己創建的客戶:
(1)kingadmin/permission_list.py
'crm_table_list': ['table_obj_list', 'GET', [], {},permission_hook.view_my_own_customers],
(2)kingadmin/permission_hook.py
# kingadmin/permission_hook.py def view_my_own_customers(request): #當前登錄的用戶id 等於客戶的顧問的id(銷售創建客戶的時候,顧問就是銷售自己) #實現銷售只能看自己的客戶功能 if str(request.user.id) == request.GET.get('consultant'): return True else: return False
(3)kingadmin/permissions.py
現在銷售就只能看到自己創建的客戶了
這樣,萬通通用的權限框架就開發完畢了,權限的控制可大可小,而且想要移植到其它django項目時, 唯一需要改的,就是配置好perm_dic里的權限條目!