權限:權限就是一個包含正則的url。
Rbac 權限管理:
Role-Based Access Control,基於角色的訪問控制。用戶通過角色與權限進行關聯,一個用戶可以有多個角色,一個角色可以有多個權限。
構造成“用戶-角色-權限”的授權模型。在這種模型中,用戶與角色之間,角色與權限之間,一般者是多對多的關系。
(rbac模式-role based access control): User id name age 1 alex 23 2 egon 45 3 peiqi 89 Role id title 1 銷售 2 CEO 3 銷售總監 UserInfo2Role id user_id role_id 1 1 1 2 2 1 3 3 1 permissison id title url 1 查看客戶 /stark/crm/customer/ 2 添加客戶 /stark/crm/customer/add 3 查看訂單 /stark/crm/order/ 3 添加訂單 /stark/crm/order/add Role2permissison id role_id permissison_id 1 1 1 2 1 2 3 1 3 4 1 4
在權限app :rbac model表中:
from django.db import models # Create your models here. class User(models.Model): name = models.CharField(max_length=32) password = models.CharField(max_length=32) roles = models.ManyToManyField('Role') def __str__(self): return self.name class Role(models.Model): name = models.CharField(max_length=32) permissions= models.ManyToManyField("Permission") def __str__(self): return self.name class Permission(models.Model): title = models.CharField(max_length=32) url = models.CharField(max_length=128) def __str__(self): return self.title
權限錄入
在另一個app : app1 model.py 中 創建兩條表記錄:(可以對customer 和 Order 表進行權限管理 ,對可以進行 增刪改查操作權限設置。
from django.db import models # Create your models here. class Customer(models.Model): name = models.CharField(max_length=32,verbose_name="客戶姓名") def __str__(self): return self.name class Order(models.Model): order_id = models.CharField(max_length=32) def __str__(self): return self.order_id
1.進行數據的遷移, 執行:
python manage.py makemigrations
python manage.py migrate
2.引入stark組件
3. 給 權限表 設計權限 url
項目視圖views 登錄視圖
from django.shortcuts import render,HttpResponse,redirect from rbac.service.permissions import permission_init # Create your views here. from rbac.models import User def login(request): if request.method=="GET": return render(request,"login.html") else: user = request.POST.get("user") password = request.POST.get("password") user_obj = User.objects.filter(name=user,password=password).first() if user_obj: #登錄成功后: request.session["user_id"] = user_obj.pk # 獲取登錄用戶的所有權限 role_queryset = user_obj.roles.all().values("permissions__url") permission_list = [] for dic in role_queryset: # 把所有權限加到權限列表中 permission_list.append(dic["permissions__url"]) request.session["permission_list"] = permission_list #通過調用權限文件的方法 #權限列表 注入 session request.session ["permission_list"] = permission_list permission_init(request,user_obj) else: return redirect("/login/") return redirect("/index/") def index(request): return render(request,"index.html")
創建 訪問權限的中間鍵:
from django.utils.deprecation import MiddlewareMixin from django.shortcuts import HttpResponse,render,redirect import re class PermissionMiddleWare(MiddlewareMixin): def process_request(self,request): #查看當前的請求路徑 current_path = request.path #1 放行白名單 white_list = ["/login/","/admin*/",] for reg in white_list: if re.search(reg,current_path): return None #放行 #2 判斷是否登錄 if not request.session.get("user_id"): return redirect("/login/") #3 權限校正 #獲取當前用戶的權限列表 permission_list = request.session.get("permission_list") #正則匹配 for reg_path in permission_list: reg_path = "^%s$"%reg_path if re.search(reg_path,current_path): return None return HttpResponse("您沒有訪問權限!")
權限app: rbac 相關文件安置:
在項目的settings.py 中配置該中間鍵:
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'rbac.service.middleware.PermissionMiddleWare', ]