一个包含正则表达式url就是一个权限
who what how ---------->True or Flase
UserInfor
name
pwd
permission=models.manytomany(Permission)
name pwd
gkate 123
twiss 456
A 111
B 222
C 333
D 444
Permission
url=.....
title=....
id url title
1 "/users/" "查看用户"
2 "/users/add/" "添加用户"
3 "/customer/add" "添加客户"
UserInfor_permission
id
user_id
permission_id
id user_id permission_id
1 1 1
2 1 2
3 2 2
4 3 1
5 3 2
6 3 3
4 4 1
5 4 2
6 4 3
4 5 1
5 5 2
6 5 3
4 6 1
5 6 2
6 6 3
4 7 1
5 7 2
6 7 3
示例:登录人:egon
访问url:http://127.0.0.1:8000/users/
def users(request):
user_id=request.session.get("user_id")
obj=UserInfor.objects.filter(pk=user_id).first()
obj.permission.all().valuelist("url")
return HttpResponse("users.....")
# 版本2:
UserInfor
name
pwd
roles
name pwd
gkate 123
twiss 456
twiss 456
twiss 456
twiss 456
twiss 456
twiss 456
twiss 456
twiss 456
Role
title=.......
permissions=......
id title
1 销售员
UserInfor2Role
id user_id role_id
1 1 1
Permission
url=.....
title=....
id url title
1 "/users/" "查看用户"
2 "/users/add/" "添加用户"
3 "/customer/add" "添加客户"
Role2Permission
id role_id permission_id
1 1 1
2 1 2
3 1 3
3 rbac(role-based access control)
关于rbac:
(1) 创建表关系:
class User(models.Model):
name=models.CharField(max_length=32)
pwd=models.CharField(max_length=32)
roles=models.ManyToManyField(to="Role")
def __str__(self): return self.name
class Role(models.Model):
title=models.CharField(max_length=32)
permissions=models.ManyToManyField(to="Permission")
def __str__(self): return self.title
class Permission(models.Model):
title=models.CharField(max_length=32)
url=models.CharField(max_length=32)
def __str__(self):return self.title
(2) 基于admin录入数据
(3) 登录校验:
if 登录成功:
查询当前登录用户的权限列表注册到session中
(4) 校验权限(中间件的应用)
class ValidPermission(MiddlewareMixin):
def process_request(self,request):
# 当前访问路径
current_path = request.path_info
# 检查是否属于白名单
valid_url_list=["/login/","/reg/","/admin/.*"]
for valid_url in valid_url_list:
ret=re.match(valid_url,current_path)
if ret:
return None
# 校验是否登录
user_id=request.session.get("user_id")
if not user_id:
return redirect("/login/")
# 校验权限
permission_list = request.session.get("permission_list",[]) # ['/users/', '/users/add', '/users/delete/(\\d+)', 'users/edit/(\\d+)']
flag = False
for permission in permission_list:
permission = "^%s$" % permission
ret = re.match(permission, current_path)
if ret:
flag = True
break
if not flag:
return HttpResponse("没有访问权限!")
return None