先在项目中创建 app rbac的models.py
from django.db import models class Permission(models.Model): """ 权限表 """ url = models.CharField('权限', max_length=32) title = models.CharField('标题', max_length=32) def __str__(self): return self.title class Role(models.Model): """ 角色表 """ name = models.CharField('角色名称', max_length=32) permissions = models.ManyToManyField('Permission', verbose_name='角色所拥有的权限', blank=True) def __str__(self): return self.name class User(models.Model): """ 用户表 """ name = models.CharField('用户名', max_length=32) pwd = models.CharField('密码', max_length=32) roles = models.ManyToManyField('Role', verbose_name='用户所拥有的角色', blank=True) def __str__(self): return self.name
先在web urls.py中添加路由
url(r'^admin/', admin.site.urls), url(r'^login/$', auth.login,name='login'), url(r'^index/$', auth.index,name='index'),
web app 中 views auth.py
from django.shortcuts import render, redirect, HttpResponse, reverse from rbac import models def index(request): return render(request, 'index.html') def login(request): if request.method == 'POST': # 获取用户名和密码 user = request.POST.get('user') pwd = request.POST.get('pwd') # 去数剧库进行筛选 obj = models.User.objects.filter(name=user, pwd=pwd).first() if not obj: return render(request, 'login.html') permission_query = obj.roles.filter(permissions__url__isnull=False).values('permissions__url', 'permissions__title').distinct() print('1111',permission_query) # <QuerySet [{'permissions__url': '/index/', 'permissions__title': '首页'}]> request.session['permission'] = list(permission_query) request.session['is_login'] = True return redirect(reverse('index')) return render(request, 'login.html')
在rbac app中创建过滤器
middlewares/rbac.py
from django.utils.deprecation import MiddlewareMixin from django.shortcuts import HttpResponse, redirect, reverse from django.conf import settings import re class RbacMiddleWare(MiddlewareMixin): def process_request(self, request): # 获取当前访问的页面 url = request.path_info # index # 白名单 for i in settings.WHITE_LIST: if re.match(i, url): return # 获取登录状态 is_login = request.session.get('is_login') # 没有登录跳转到登录页面 if not is_login: return redirect(reverse('login')) # 免认证 for i in settings.NO_PERMISSION_LIST: if re.match(i, url): return # 获取当前用户的权限 permission_list = request.session['permission'] print(permission_list) # 权限的校验 for i in permission_list: if re.match('^{}$'.format(i['permissions__url']), url): return # 没匹配成功 没有权限 return HttpResponse('没有访问的权限')
其中的re 是 引用settings.py中的变量
# 白名单 WHITE_LIST = [ r'^/login/$', r'^/reg/$', r'^/admin/.*', ] # 免认证的地址 需要登录 不行权限校验 NO_PERMISSION_LIST = [ '/index/' ]
附上admin的py
from django.contrib import admin from rbac import models # Register your models here. class PermissionAdmin(admin.ModelAdmin): list_display = ['url', 'title'] list_editable = ['title'] admin.site.register(models.Permission, PermissionAdmin) admin.site.register(models.Role) admin.site.register(models.User)