1、权限组的表分析
auth_group --- 是存储权限分组
auth_permission --- 存放用户可以使用那个表
auth_group_permission --- 连接权限分组和能使用权限的表
auth_users_group --- 连接用户信息表和权限分组表
后台的功能实现
# 在apps/admin/views.py中创建如下类: class GroupsManageView(View): """ /admin/groups/
渲染页面和发送前端展示数据 """ def get(self,request): groups = Group.objects.values('id','name').annotate(num_users=Count('user')). order_by('-num_users','id') return render(request,'admin/user/groups_manage.html',locals()) class GroupsAddView(View): """ /admin/groups/add/
增加管理组 """ def get(self,request): permissions = Permission.objects.only('id').all() return render(request,'admin/user/groups_add.html',locals()) def post(self,request): json_data = request.body if not json_data: return to_json_data(errno=Code.PARAMERR, errmsg=error_map[Code.PARAMERR]) dict_data = json.loads(json_data.decode('utf8')) # 取出组名,进行判断 group_name = dict_data.get('name', '').strip() if not group_name: return to_json_data(errno=Code.PARAMERR, errmsg='组名为空') one_group, is_created = Group.objects.get_or_create(name=group_name) if not is_created: return to_json_data(errno=Code.DATAEXIST, errmsg='组名已存在') # 取出权限 group_permissions = dict_data.get('group_permissions') if not group_permissions: return to_json_data(errno=Code.PARAMERR, errmsg='权限参数为空') try: permissions_set = set(int(i) for i in group_permissions) except Exception as e: logger.info('传的权限参数异常: {}'.format(e)) return to_json_data(errno=Code.PARAMERR, errmsg='权限参数异常') all_permissions_set = set(i.id for i in Permission.objects.only('id')) if not permissions_set.issubset(all_permissions_set): return to_json_data(errno=Code.PARAMERR, errmsg='有不存在的权限参数') # 设置权限 for perm_id in permissions_set: p = Permission.objects.get(id=perm_id) one_group.permissions.add(p) one_group.save() return to_json_data(errmsg='组创建成功!') class GroupsEditView(View): """ /admin/groups/<int:group_id>/
更新管理的权限 """ def get(self,request,group_id): group = Group.objects.filter(id=group_id).first() if group: permissions = Permission.objects.only('id').all() return render(request,'admin/user/groups_add.html',locals()) raise Http404('需要更新的组不存在!') def delete(self, request, group_id): group = Group.objects.filter(id=group_id).first() if group: group.permissions.clear() # 清空权限 group.delete() return to_json_data(errmsg="用户组删除成功") else: return to_json_data(errno=Code.PARAMERR, errmsg="需要删除的用户组不存在") def put(self,request,group_id): group = Group.objects.filter(id=group_id).first() if not group: return to_json_data(errno=Code.NODATA, errmsg='需要更新的用户组不存在') json_data = request.body if not json_data: return to_json_data(errno=Code.PARAMERR, errmsg=error_map[Code.PARAMERR]) # 将json转化为dict dict_data = json.loads(json_data.decode('utf8')) # 取出组名,进行判断 group_name = dict_data.get('name', '').strip() if not group_name: return to_json_data(errno=Code.PARAMERR, errmsg='组名为空') if group_name != group.name and Group.objects.filter(name=group_name).exists(): return to_json_data(errno=Code.DATAEXIST, errmsg='组名已存在') # 取出权限 group_permissions = dict_data.get('group_permissions') if not group_permissions: return to_json_data(errno=Code.PARAMERR, errmsg='权限参数为空') try: permissions_set = set(int(i) for i in group_permissions) except Exception as e: logger.info('传的权限参数异常: {}'.format(e)) return to_json_data(errno=Code.PARAMERR, errmsg='权限参数异常') all_permissions_set = set(i.id for i in Permission.objects.only('id')) if not permissions_set.issubset(all_permissions_set): return to_json_data(errno=Code.PARAMERR, errmsg='有不存在的权限参数') existed_permissions_set = set(i.id for i in group.permissions.all()) if group_name == group.name and permissions_set == existed_permissions_set: return to_json_data(errno=Code.DATAEXIST, errmsg='用户组信息未修改') # 设置权限 for perm_id in permissions_set: p = Permission.objects.get(id=perm_id) group.permissions.add(p) group.name = group_name group.save() return to_json_data(errmsg='组更新成功!') class UsersManageView(View): """ /admin/users/
用户的权限 """ def get(self,request): users = Users.objects.only('username', 'is_staff', 'is_superuser').filter(is_active=True) return render(request, 'admin/user/users_manage.html', locals()) class UsersEditView(View): """ /admin/users/<int:user_id>/
设置用户权限 """ def get(self,request,user_id): user_instance = Users.objects.filter(id=user_id).first() if user_instance: groups = Group.objects.only('name').all() return render(request, 'admin/user/users_edit.html', locals()) else: raise Http404('需要更新的用户不存在!') def put(self,request,user_id): user_instance = Users.objects.filter(id=user_id).first() if not user_instance: return to_json_data(errno=Code.NODATA, errmsg='需要更新的用户不存在') json_data = request.body if not json_data: return to_json_data(errno=Code.PARAMERR, errmsg=error_map[Code.PARAMERR]) # 将json转化为dict dict_data = json.loads(json_data.decode('utf8')) # 取出参数,进行判断 try: groups = dict_data.get('groups') # 取出用户组列表 is_staff = int(dict_data.get('is_staff')) is_superuser = int(dict_data.get('is_superuser')) is_active = int(dict_data.get('is_active')) params = (is_staff, is_superuser, is_active) if not all([p in (0, 1) for p in params]): return to_json_data(errno=Code.PARAMERR, errmsg='参数错误') except Exception as e: logger.info('从前端获取参数出现异常: {}'.format(e)) return to_json_data(errno=Code.PARAMERR, errmsg='参数错误') try: groups_set = set(int(i) for i in groups) if groups else set() except Exception as e: logger.info('传的用户组参数异常: {}'.format(e)) return to_json_data(errno=Code.PARAMERR, errmsg='用户组参数异常') all_groups_set = set(i.id for i in Group.objects.only('id')) if not groups_set.issubset(all_groups_set): return to_json_data(errno=Code.PARAMERR, errmsg='有不存在的用户组参数') gs = Group.objects.filter(id__in=groups_set) # 先清除组 user_instance.groups.clear() user_instance.groups.set(gs) user_instance.is_staff = bool(is_staff) user_instance.is_superuser = bool(is_superuser) user_instance.is_active = bool(is_active) user_instance.save() return to_json_data(errmsg='用户信息更新成功!') def delete(self, request, user_id): user_instance = Users.objects.filter(id=user_id).first() if user_instance: user_instance.groups.clear() # 清除用户组 user_instance.user_permissions.clear() # 清除用户权限 user_instance.is_active = False # 设置为不激活状态 user_instance.save() return to_json_data(errmsg="用户删除成功") else: return to_json_data(errno=Code.PARAMERR, errmsg="需要删除的用户不存在")
admin登录继承 LoginRequiredMixin
admin登录权限继承 PermissionRequiredMixinfrom django.contrib.auth.mixins import LoginRequiredMixin,PermissionRequiredMixinclass IndexView(LoginRequiredMixin,View)""" create admin index view /admin/
""" # login_url = 'users:login' # 没有权限就重写到这个 redirect_field_name = 'next' # 登录成功转到的页面 def get(self,request): return render(request,'admin/index/index.html') class TagManageView(PermissionRequiredMixin,View): """ route: /admin/tags/`` """ permission_required = ('news.add_tag','news.view_tag') # news是数据库所在的app名称,add或view为权限表中增删改查的一种,tag为表名称 raise_exception = True # 默认的报错信息 def handle_no_permission(self): # 继承错误返回方法,这个类视图get和post返回的方法不同 if self.request.method.lower() != 'get': # 如果是get没有权限 返回 return to_json_data(errno=Code.ROLEERR, errmsg='没有操作权限')
else:
return super(TagManageView,self).handle_no_permission() # post请求没有权限发送默认错误 super(所在的类,self)
class TagEditView(PermissionRequiredMixin,View): # 这个类视图是有get和put方法,只返回json
""" /admin/tags/<int:tag_id>/ """ permission_required = ('news.delete_tag','news.change_tag') raise_exception = True def handle_no_permission(self): return to_json_data(errno=Code.ROLEERR, errmsg='没有操作权限')
# 继承错误返回方法,这个类视图是有get和post方法的
# post请求没有权限发送默认错误