# -*- coding: utf-8 -*- ''' @author: Swain @contact: 624420781@qq.com @file: middlewares.py @time: 2019/04/01 下午 15:10 ''' from django.db.models import F from django.conf import settings import re from common.public_method import return_result from django.shortcuts import redirect from django.contrib.auth import authenticate from api.models import User,Menu,Permission class RbacMiddleware(object): """ 检查用户的url请求是否是其权限范围内 """ def process_view(self, request, view, args, kwargs): request_url = request.path_info # 如果不是api接口,放行 if not re.match('^/api/', request_url): return None username = request.user user = User.objects.filter(username=username).first() if not user: return return_result(status=False, code=500, message="该用户没有权限访问!") request.userobj = user if user.surperman: return None # permission_list = Permission.objects.annotate(permissions__url=F('url')).values('permissions__url') else: permission_list = user.roles.values('permissions__url').distinct() # 权限数据处理 permissions = [each['permissions__url'] for each in permission_list] if not permissions: return return_result(status=False, code=500, message="没有获取到用户权限信息!") # 如果请求url在白名单,放行 for url in settings.SAFE_URL: if url == request_url: return None if request_url in permissions: return None else: return return_result(status=False, code=500, message="没有权限访问")