权限管理：

1、settings：

"""
Django settings for luffy_permission project.

Generated by 'django-admin startproject' using Django 1.11.7.

For more information on this file, see
https://docs.djangoproject.com/en/1.11/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.11/ref/settings/
"""

import os

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.11/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '-t5hehq#zmk=_m)!6pm(c8_s-ycack)$dpppm7ws!&0#eljwzs'

# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = []

# Application definition

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'web.apps.WebConfig'                #注册web.apps.WebConfig
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'luffy_permission.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [os.path.join(BASE_DIR, 'templates')]
        ,
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'luffy_permission.wsgi.application'

# Database
# https://docs.djangoproject.com/en/1.11/ref/settings/#databases

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
    }
}

# Password validation
# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

# Internationalization
# https://docs.djangoproject.com/en/1.11/topics/i18n/

LANGUAGE_CODE = 'en-us'

TIME_ZONE = 'UTC'

USE_I18N = True

USE_L10N = True

USE_TZ = True

# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.11/howto/static-files/

STATIC_URL = '/static/'
2、urls路由分发：

"""luffy_permission URL Configuration

The `urlpatterns` list routes URLs to views. For more information please see:
    https://docs.djangoproject.com/en/1.11/topics/http/urls/
Examples:
Function views
    1. Add an import:  from my_app import views
    2. Add a URL to urlpatterns:  url(r'^$', views.home, name='home')
Class-based views
    1. Add an import:  from other_app.views import Home
    2. Add a URL to urlpatterns:  url(r'^$', Home.as_view(), name='home')
Including another URLconf
    1. Import the include() function: from django.conf.urls import url, include
    2. Add a URL to urlpatterns:  url(r'^blog/', include('blog.urls'))
"""
from django.conf.urls import url,include
from django.contrib import admin

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^', include('web.urls')),
]
3、基于角色的访问控制：
RBAC(Role-based access control ) 基于角色的访问控制

4、创建app：

python manage.py startapp rbac

5、settings里面注册上刚刚创建的rbac的app：

6、角色权限控制rbac里面创建models表：

from django.db import models

# Create your models here.

#创建权限表：
class Permission(models.Model):
    url = models.CharField(max_length=64,verbose_name="权限")
    title = models.CharField(max_length=32,verbose_name="标题")

#创建角色表：
class Role(models.Model):
    name = models.CharField(max_length=32,verbose_name="角色名称")
    permissions = models.ManyToManyField("Permission",verbose_name="角色所拥有的的权限")

#创建用户表：
class User(models.Model):
    username = models.CharField(max_length=32,verbose_name="用户名",unique=True)
    password = models.CharField(max_length=32,verbose_name="密码")
    roles = models.ManyToManyField("Role",verbose_name="用户所拥有的角色")

7、数据库迁移：

python manage.py makemigrations

python manage.py migrate

8、创建超级用户：

python manage.py createsuperuser

root1234

root1234

9、登录后台前在admin里面注册下：

from django.contrib import admin
from rbac import models
# Register your models here.

admin.site.register(models.Permission)
admin.site.register(models.Role)
admin.site.register(models.User)
10、登录admin并添加客户和账单信息：
http://127.0.0.1:8000/admin/login/?next=/admin/

11、rbac里面返回字符串信息：

 

12、增加角色：

 

 13、添加用户：

 14、定义认证登录功能：

from django.shortcuts import render,redirect,HttpResponse
from rbac import models

#定义登录功能：
def login(request):
    if request.method == "POST":
        username = request.POST.get("username")
        password = request.POST.get("password")
        obj = models.User.objects.filter(username=username,password=password).first()
        #如果没有相应的用户名或密码：
        if not obj:
            return render(request,"login.html",{"error":"用户名或密码错误"})
        #查询当前用户的权限、保存到session中、根据当前用户对象查询角色
        permissions = obj.roles.exclude(permissions__url=None).values("permissions__url").distinct()
        permissions = list(permissions)
        print(permissions,type(permissions))
        request.session["permissions"] = permissions
        return HttpResponse("ok")
    return render(request,"login.html")
15、创建中间件：

from django.utils.deprecation import MiddlewareMixin
from django.urls import reverse
from django.shortcuts import HttpResponse, redirect
from django.conf import settings
import re


class RbacMiddleWare(MiddlewareMixin):

    def process_request(self, request):
        # 获取当前的访问的url地址
        url = request.path_info
        print(url)
        # 白名单  不登录就可以访问
        for i in settings.WHITE_LIST:
            if re.match(i, url):
                return

                # 登录状态的校验
        is_login = request.session.get('is_login')
        if not is_login:
            return redirect('login')

        # 免认证的校验
        for i in settings.NO_PERMISSION_LIST:
            if re.match(i, url):
                return

        # 权限的校验
        permissions = request.session.get('permissions')
        for i in permissions:
            if re.match(r'^{}$'.format(i['permissions__url']), url):
                return

        return HttpResponse('没有访问权限，请联系管理员')