Browse the catalog
Simple control
Check whether you have permission, the easiest way is to directly for loop
{% if "users/add" in permissions_list%}
For example: check whether the user has permission to add users, if so, display the add user button, if not, hide it.
{% if "users/add" in request.actions %} <button class="btn btn-primary">Add user</button> {% endif %}
get rid of table control
Change the database structure
In order to easily know what permissions users have and which permissions to show users, we need permission groups to distinguish them.
Add a new table permission group table.
# Permissions table class Permission(models.Model): title = models.CharField(max_length=32) url = models.CharField(max_length=32) action=models.CharField(max_length=32,default="") group=models.ForeignKey(to="PermissionGroup",default=1) def __str__(self): return self.title # Rights Groups class PermissionGroup(models.Model): title=models.CharField(max_length=32) def __str__(self): return self.title
We usually see the list page first. Whether to display the addition, whether to display the editing, or whether to display the deletion on this page needs to be judged.
With or without adding permission, with or without deletion permission, with or without editing permission, we can give each url a code name
dict = { 1:{ codename /users/ list /users/add/ add /users/del(\d+)/ del /users/edit(\d+)/ edit } }
Enter permission data through admin
class PerConfig(admin.ModelAdmin): list_display = ["title","url","action","group"] #显示字段 admin.site.register(UserInfo) admin.site.register(Role) admin.site.register(Permission,PerConfig) #Bind PerConfig class admin.site.register(PermissionGroup)
With permission groups, you can view permissions directly by action.
For example: check whether the user has permission to add users, if so, display the add user button, if not, hide it.
{% if "add" in request.actions %} <button class="btn btn-primary">Add user</button> {% endif %}
Simple class control
Through the instantiated object of the class, you can directly use "." to call the method in the class for simple operations.
views.py
class Per(object): def __init__(self, actions): self.actions = actions def add(self): return "add" in self.actions def delete(self): return "delete" in self.actions def edit(self): return "edit" in self.actions def list(self): return "list" in self.actions
If you want to see what permissions the logged in user has on the user table, you can instantiate an object.
For example: check whether the user has permission to add users, if so, display the add user button, if not, hide it.
{% if per.add %} <button class="btn btn-primary">Add user</button> {% endif %}
Login authentication
#Query all the permissions of the currently logged-in user, according to the url, group id, display the operations to be performed by each permission, and deduplicate the permission list permissions = user.roles.all().values("permissions__url", "permissions__group_id", "permissions__action").distinct() print("permissions",permissions) #All permissions of the currently logged in user are as follows: '''permissions <QuerySet [{'permissions__url': '/users/', 'permissions__action': 'list', 'permissions__group_id': 1}, {'permissions__url': '/users/add', 'permissions__action': 'add', 'permissions__group_id': 1}, {'permissions__url': '/users/delete/(\\d+)', 'permissions__action': 'delete', 'permissions__group_id': 1}, {'permissions__url': '/roles/', 'permissions__action': 'list', 'permissions__group_id': 2}, {'permissions__url': '/users/edit/(\\d+)', 'permissions__action': 'edit', 'permissions__group_id': 1}]> '''
The above data is not very convenient for us to use. How can we get the data we want? We can store them in the form of a dictionary, which is convenient for us to query.
permission_dict={} #Create an empty dictionary for item in permissions: #loop through each permission gid=item.get("permissions__group_id") #Get the group id and use the group as the key of the dictionary if not gid in permission_dict: #If there is no group as a key, create a new key name and add data permission_dict[gid]={ "urls":[item["permissions__url"],], "actions":[item["permissions__action"],], } else: #Add data directly if there is a key permission_dict[gid]["urls"].append(item["permissions__url"]) permission_dict[gid]["actions"].append(item["permissions__action"]) print(permission_dict) #Register the permission dictionary in the session, which is convenient for later query request.session["permission_dict"]=permission_dict
You will get the following data:
'''{{'1': {'urls': ['/users/', '/users/add', '/users/delete/(\\d+)', '/users/edit/(\\d+)'], 'actions': ['list', 'add', 'delete', 'edit']}, '2': {'urls': ['/roles/'], 'actions': ['list']}} '''
Middleware check permission
With the permission_dict dictionary registered in the session, we can easily query the permissions that each user has.
'''Permission check two''' permission_dict=request.session.get("permission_dict") #Register the permission dictionary in the session print(permission_dict) for item in permission_dict.values(): #loop by group urls=item["urls"] #urls are all urls in each group for rule in urls: #traverse all urls rule="^%s$"%rule # String concatenation redefines permissions ret=re.match(rule,current_path) #match the current path by rule if ret: #match successful print("actions",item["actions"]) request.actions=item["actions"] #Set attributes to the object, and then call request.actions to get all the permissions of the current user on the current table return None return HttpResponse("Sorry, you don't have access!")