Django web框架之权限管理一

准备：创建独立app，rbac　　　　#权限管理模块/组件app01　　　　#应用

分配权限，URL

第一版：权限表：ID ?????????url ???????????????????????title ????????????????????is_menu 1 ????????/index/ ????????????????????首页 ???????????????????????False ???????????????2 ????????/userinfo/ ?????????????????用户列表 ???????????????????True 3 ????????/userinfo/add/ ?????????????添加用户 ???????????????????True 4 ????????/userinfo/del/(\d+)/ ???????删除用户 ???????????????????False 5 ????????/userinfo/edit/(\d+)/ ??????修改用户 ???????????????????False ?用户表：ID ?????????username ???????password ???.... 1 ??????????番禺 ????????????123 2 ??????????夹缝 ????????????123 3 ??????????果冻 ????????????123 4 ??????????鲁宁 ????????????123 权限用户关系表：用户ID ????????权限ID ???1 ????????????1 ??1 ????????????2 ??1 ????????????3 ??1 ????????????4 ??1 ????????????5 ??2 ????????????1 ??2 ????????????2 ??2 ????????????3 ??3 ????????????1 ??4 ????????????1 ??4 ????????????2 ??4 ????????????3

第二版： 用户表：ID ?????????username ???????password ???.... 1 ??????????番禺 ????????????123 2 ??????????夹缝 ????????????123 3 ??????????果冻 ????????????123 4 ??????????鲁宁 ????????????123 ?角色表：ID ?????????title ?1 ???????????CEO 2 ???????????CTO 4 ???????????COO 5 ???????????部门经理 6 ???????????技术员 用户和角色关系表：用户ID ??????角色ID ?1 ???????????1 ?1 ???????????2 ?1 ???????????4 ?2 ???????????5 ?3 ???????????6 ?4 ???????????6权限表：ID ?????????url ???????????????????????title 1 ????????/index/ ????????????????????首页 2 ????????/userinfo/ ?????????????????用户列表 3 ????????/userinfo/add/ ?????????????添加用户 4 ????????/userinfo/del/(\d+)/ ???????删除用户 5 ????????/userinfo/edit/(\d+)/ ???????修改用户角色权限关系表：角色ID ??????????权限ID ??1 ???????????????1

from django.db import modelsclass UserInfo(models.Model): ???username=models.CharField(max_length=32,verbose_name=‘用户名‘) ???password=models.CharField(max_length=32,verbose_name=‘密码‘) ???email=models.CharField(max_length=32,verbose_name=‘邮件‘) ???roles=models.ManyToManyField(to=‘Role‘,verbose_name=‘具有的所有角色‘,blank=True) ???class Meta: ???????verbose_name_plural=‘用户表‘ ???def __str__(self): ???????return self.usernameclass Permissions(models.Model): ???title=models.CharField(max_length=64,verbose_name=‘标题‘) ???url=models.CharField(max_length=64,verbose_name=‘含规则URL‘) ???is_menu =models.BooleanField(verbose_name=‘是否是菜单‘) ???class Meta: ???????verbose_name_plural=‘权限表‘ ???def __str__(self): ???????return self.titleclass Role(models.Model): ???title=models.CharField(max_length=32) ???permissions=models.ManyToManyField(to=‘Permissions‘,verbose_name=‘具有的所有权限‘,blank=True) ???class Meta: ???????verbose_name_plural=‘角色表‘ ???def __str__(self): ???????return self.title

CEO：番禺/userinfo//userinfo/add//userinfo/edit/(\d+)//userinfo/del/(\d+)//order//order/add//order/edit/(\d+)//order/del/(\d+)/总监：鲁宁/userinfo//userinfo/add//order//order/add/经理：肾松/userinfo//order/业务员：肾松，文飞，成栋/order/PS: 去重问题：1. 用户登录- 获取当前用户具有的所有角色- 获取当前用户具有的所有权限- 获取当前用户具有的所有权限（去重）

a. 创建rbac app b. 创建表结构，rbac，基于角色权限控制- 三个类- 五张表c. 基于Django admin录入权限数据python manage.py createsuperuser- root- root!2345d. 用户登录程序- 获取当前用户具有的所有权限（去重）- 获取权限中的url，放置到session中rabc.service.init_permissiondef init_permission(user,request):passe. 中间件 - 白名单- 获取请求URL- session保存的权限信息- 循环url，re.match(db_url, current_url)

- models.py- admin.py- service.init_permission.py ????#权限攻击组件- middlewares.rabc.py　　　　　　　　#中间件配置文件中setting配置白名单：
VALID_URL = ["/login/","/admin.*"]

def init_permissions(user,request): ???url_list = [] ???# 获取user中所有的url权限 ???permission_url_list = user.roles.values(‘permissions__url‘, ‘permissions__title‘, ‘permissions__is_menu‘).distinct() ???# 将url权限去重添加到url_list列表中 ???for item in permission_url_list: ???????url_list.append(item[‘permissions__url‘]) ???print(‘url_list:‘,url_list) ???# 定制session ???request.session[‘permission_url_list‘] = url_list

MIDDLEWARE = [ ???‘django.middleware.security.SecurityMiddleware‘, ???‘django.contrib.sessions.middleware.SessionMiddleware‘, ???‘django.middleware.common.CommonMiddleware‘, ???‘django.middleware.csrf.CsrfViewMiddleware‘, ???‘django.contrib.auth.middleware.AuthenticationMiddleware‘, ???‘django.contrib.messages.middleware.MessageMiddleware‘, ???‘django.middleware.clickjacking.XFrameOptionsMiddleware‘, ???‘rbac.middlewares.rbac.RbacMiddleware‘ ????#权限管理组件引用路径]

import refrom django.shortcuts import ?render,redirect,HttpResponsefrom django.conf import settingsclass MiddlewareMixin(object): ???def __init__(self, get_response=None): ???????self.get_response = get_response ???????super(MiddlewareMixin, self).__init__() ???def __call__(self, request): ???????response = None ???????if hasattr(self, ‘process_request‘): ???????????response = self.process_request(request) ???????if not response: ???????????response = self.get_response(request) ???????if hasattr(self, ‘process_response‘): ???????????response = self.process_response(request, response) ???????return responseclass RbacMiddleware(MiddlewareMixin): ???def process_request(self,request): ???????# 1.获取当前的请求url：request.path_info ???????# 2.获取session中保存当前用户的权限 ???????# ??request.session.get("permission_url_list") ???????current_url = request.path_info ???????# 当前请求不需要执行权限验证 ???????for url in settings.VALID_URL: ???????????if re.match(url,current_url): ???????????????return None ???????permission_list = request.session.get("permission_url_list") ???????print(‘permission_list‘,permission_list) ???????if not permission_list: ???????????return redirect(‘/login/‘) ???????flag=False ???????for db_url in permission_list: ???????????regax="^{0}$".format(db_url) ???????????if re.match(regax,current_url): ???????????????flag =True ???????????????break ???????if not flag: ???????????return HttpResponse(‘无权访问‘)

from django.shortcuts import render,redirect,HttpResponsefrom app01 import modelsfrom rbac.service.init_permissions import init_permissions　　def login(request): ???if request.method=="GET": ???????return render(request,‘login.html‘) ???else: ???????username=request.POST.get(‘user‘) ???????password=request.POST.get(‘pwd‘) ???????user=models.UserInfo.objects.filter(username=username,password=password).first() ???????if not user: ???????????return render(request,‘login.html‘) ???????else: ???????????init_permissions(user,request)　　　　#定制session模块 ???????????return redirect(‘/index/‘)def index(request): ???return HttpResponse(‘首页页面‘)def userinfo(request): ???return HttpResponse(‘用户管理‘)def userinfo_add(request): ???return HttpResponse(‘添加用户‘)def order(request): ???return HttpResponse(‘订单管理‘)def order_add(request): ???return HttpResponse(‘添加订单‘)

from django.conf.urls import urlfrom django.contrib import adminfrom app01 import ?views as app01_viewsurlpatterns = [ ???url(r‘^admin/‘, admin.site.urls), ???url(r‘^login/‘, app01_views.login), ???url(r‘^index/‘, app01_views.index), ???url(r‘^userinfo/$‘, app01_views.userinfo), ???url(r‘^userinfo/add/$‘, app01_views.userinfo_add), ???url(r‘^order/$‘, app01_views.order), ???url(r‘^order/add/$‘, app01_views.order_add),]