Django 权限管理

对于Django而言，虽然自带了一些基本的通用权限限制，但现实中，可能我们更希望自己去定义业务权限划分

Django对于权限这块的部分验证方法

user = request.user
user.is_superuser  #是否是超级管理员
user.s_anonymous()  #是否匿名用户，及未登录用户
user.groups.select_related()  #获取用户对应的组角色对象，
#当获取到group后，通过group.name获取组名，

下面是一段完整的权限控制例子

#!/usr/bin/env python
# encoding:utf8

from django.core.urlresolvers import resolve
from django.shortcuts import render


# 定义角色权限
roles = {
    'consultant': ['Customer', 'ConsultRecord'],
    'teachers': ['Course', 'ClassList', 'CourseRecord', 'StudyRecord'],
    'students':  ['StudyRecord'],
}
# 权限映射
permission_map = {
    'view_home': ['index', 'GET', []],  # 展示对应对可操作对象
    'view_object': ['admin_controller', 'GET', ['show']],  # 查看具体对象对数据信息
    'edit_object': ['admin_controller', 'POST', ['show', 'id']],  # 具有编辑该对象对权限
    'add_object_view': ['admin_controller', 'GET', ['add']],  # 进入添加页面,但不表示可以进行修改,该权限用于对表格显示字段过长,显示不全,可以进入该页面查看
    'add_object': ['admin_controller', 'POST', ['add']],  # 具有添加该对象对权限
    'delete_object': ['admin_controller', 'POST', ['show', 'data']],  # 具有删除该对象对权限
}


def check_process(*args, **kwargs):
    request = args[0]
    user = request.user
    if user.is_superuser:
        return True
    resolver_match_obj = resolve(request.path)
    url_name = resolver_match_obj.url_name
    args = list(resolver_match_obj.args)
    args.extend(request.GET)
    args.extend(request.POST)
    print('begin checking permission ', resolver_match_obj)
    if url_name:
        is_match = False
        match_perm = None
        for permission in permission_map:
            permission_action = permission_map[permission]  # 获取url对应的权限动作
            print('----------------url action: ', permission_action)
            if len(permission_action) == 3:  # 为保障下面语句执行不为语法而被破坏,加上该条件,强制性判断,否则放行
                define_url_name, define_request_method, define_others = permission_action
                if url_name == define_url_name:
                    print("match url name: ", define_url_name)
                    if request.method == define_request_method:
                        print("match method: ", define_request_method)
                        if define_others:  # 如果定义了具体参数匹配,则继续匹配参数
                            print("check others: ", permission, define_others)
                            for arg in define_others:
                                if hasattr(request, str(define_request_method)):
                                    request_method = getattr(request, str(define_request_method))  # 获取对应的请求方法对象
                                    if hasattr(request_method, arg) or arg in args:  # 如果能匹配参数,则标记匹配
                                        is_match = True
                                        print("others match: ", arg)
                                    else:
                                        print("others not match: ", arg)
                                        is_match = False
                            if is_match:
                                print("others match done: ", permission, permission_action)
                                match_perm = permission
                                break
                        else:
                            is_match = True
                            match_perm = permission
                            print("url check done ...", permission, permission_action)
                            break
            else:
                print('please check the define rules, maybe has some problem')
                return True  # 如果定义的动作不完整,为避免新增权限的缺陷影响业务,这种错误应该放行处理
    else:
        return True  # 如果没有找到对应的url name则放行处理

    if is_match:
        print("begin check user permission ...")
        if user.is_anonymous():
            print("user has not login ...")
            return True  # 如果用户是匿名,说明该页面可能不需要权限控制,放行处理,假如该view需要登录认证,那么再次权限处理时,不会在此处理
        elif user.has_perm('%s.%s' % (__package__, match_perm)):
            groups = user.groups.select_related()
            model_list = []
            for group in groups:
                if group.name in roles:
                    model_list.extend(roles[group.name])
            if args and len(args) > 1:  # 如果URL获取到参数,则对参数进行比较
                access_model = args[0]
                if access_model not in model_list:  # 该操作主要拦截,直接使用URL方式而非超链接,尝试指定不同model访问其它数据
                    return False
                return True
            return model_list if model_list else True  # 如果model_list为空,且该用户还有权限,那么只有超级用户才有这种特权了
    return False


def decorator(func):
    def wrapper(*args, **kwargs):
        check_result = check_process(*args, **kwargs)
        if not check_result:
            render_respond = render(args[0], '403.html')
            render_respond.status_code = 403  # 修改头部信息状态码
            print("permission refused ...")
            return render_respond
        if type(check_result) is list:  # 该参数仅在本次view中可能有用,所以在return时需要尝试捕获,如果出错,则尝试移除该key,再返回,再有其它错误,就可以排除是该权限控制产生的了
            kwargs['model_list'] = check_result
        print('permission check passed...')
        try:
            return func(*args, **kwargs)
        except TypeError:
            kwargs.pop('model_list')
            return func(*args, **kwargs)
    return wrapper