1.登入admin,将销售员的权限改成只能查看订单列表
2.urls.py
3.views.py 这样的情况任何人都能访问
思考问题,怎么给页面加权限????
将登录用户权限写入到session中
4.将登入用户权限列表写入到session里面。 session = { "user_id":1, "permission_list":[‘/users/‘, ‘/orders/‘] }
5.访问用户列表、用户订单的时候,去session里面取值 (权限列表)
判断条件: 只要访问的url 在权限列表里面,则可以访问。
6.那么问题来了,如果url有正则(\d+),怎么判断呢???
# current_path = request.path_info # /users/edit/3
# permission_list = request.session["permission_list"] # [‘/users/‘,‘/orders/‘,‘/users/edit/(\d+)‘]# if current_path in permission_list: # 无法判断了# pass
正则匹配
7.match方法
匹配成功的返回值
8.users
orders 订单也一样的判断
代码:
from django.shortcuts import render,redirect,HttpResponse # Create your views here. from rbac.models import * def login(request): if request.method=="GET": return render(request,"login.html") else: user=request.POST.get("user") pwd=request.POST.get("pwd") user=UserInfo.objects.filter(name=user,pwd=pwd).first() if user: # 验证成功之后做什么? request.session["user_id"]=user.pk # 当前登录用户的所有权限 permission_info=user.roles.all().values("permissions__url","permissions__title").distinct() temp=[] for i in permission_info: temp.append(i["permissions__url"]) request.session["permission_list"]=temp # {"user_id":1,"permission_list":[‘/users/‘,‘/orders/‘]} return HttpResponse("登录成功!") else: return redirect("/login/") def users(request): current_path = request.path_info # /users/edit/3 permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("没有权限") return HttpResponse("用户列表") def orders(request): current_path = request.path_info # /users/edit/3 permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("没有权限") return HttpResponse("订单列表")
Views.py
中间件
1.问题:判断代码写到单独的一个文件中,然后中间件中引入。避免太多重复
2.应该继承什么呢?? 看源码
3.
4.
5.
6.
7.
代码:
from django.utils.deprecation import MiddlewareMixin from django.shortcuts import redirect,HttpResponse,render class M1(MiddlewareMixin): def process_request(self,request): pass #/admin/login/?next=/admin/ current_path = request.path_info valid_url_menu=["/login/","/reg/","/admin/.*"] import re for valid_url in valid_url_menu: ret=re.match(valid_url,current_path) if ret: return None permission_list = request.session.get("permission_list") if not permission_list: return redirect("/login/") # /users/edit/3 import re flag = False for permission_url in permission_list: ret = re.match(permission_url, current_path) if ret: flag = True break if not flag: return HttpResponse("没有权限")
s.py
8.接下来访问login也没有权限。(加权限的url多,所有应该在中间件s.py文件中定义白订单)
9.
10.admin的路径会自动改变
直接跳转
11.白名单路径写死了,应该用正则。
原文地址:https://www.cnblogs.com/c-x-m/p/9026602.html
时间: 2024-08-11 05:49:27