我正在使用Django Permissions,并试图了解如何实现
我有一个扩展的用户模型,其中用户有角色:
class UserCustomModel(models.Model):
user = models.OneToOneField(User, on_delete=models.CASCADE, primary_key=True)
ROLES = (
('ADMIN', 'ADMIN'),
('SUPERUSER', 'SUPERUSER'),
('CONTRIBUTOR', 'CONTRIBUTOR'),
('READER', 'READER'),
)
roles = models.CharField(max_length=50, choices=ROLES, null=True)
deleted = models.IntegerField(default=1)
last_change_date = models.DateTimeField(auto_now=True)
客户(公司)有一个模型:
class CustomClient(models.Model):
client_id = models.AutoField(primary_key=True)
client_name = models.TextField()
client_description = models.TextField()
deleted = models.IntegerField(default=1)
last_change_date = models.DateTimeField(auto_now=True)
def __str__(self):
return str(self.client_name)
每个用户只能分配给一个客户端。它显示在第三个模型中:
class ClientUser(models.Model):
class Meta:
unique_together = (('user', 'client', 'group'),)
user = models.ForeignKey(User, on_delete=models.CASCADE, primary_key=True)
client = models.ForeignKey(CustomClient, on_delete=models.CASCADE)
group = models.ForeignKey(Group, on_delete=models.CASCADE)
deleted = models.IntegerField(default=1)
last_change_date = models.DateTimeField(auto_now=True)
我在Django中为每个角色创建了组:
- 管理员
- 超级用户
- 贡献者
- 读者
这个想法是根据用户的角色将其分配到一个组中。它运行良好,但我想对这些组设置自定义权限。例如,如果用户具有超级用户角色,则他/她可以添加/更改/删除具有贡献者和读者角色的用户。或者,如果用户是ADMIN,他/她可以添加/更改/删除具有所有其他角色的用户。它必须受到用户客户端id的限制。
我无法从哪里开始,是否可以根据自定义用户角色设置权限?我发现我可以检查用户是否有这样的角色:
class IsAdmin(BasePermission):
def has_permission(self, request, view):
return request.user.role == "ADMIN"
但我不知道如何继续,我当然可以从请求中获得client_id。但是我应该在模型或视图中使用这个类IsAdmin(BasePermission)吗?
你这样做:
权限.py
def _is_in_group(user, group_name):
"""
Takes a user and a group name, and returns `True` if the user is in that group.
"""
if user == group_name:
return user
else:
return None
def _has_group_permission(user, required_groups):
return any([_is_in_group(user, group_name) for group_name in required_groups])
class IsAdminUser(permissions.BasePermission):
required_groups = ["ADMIN"]
def has_permission(self, request, view):
has_group_permission = _has_group_permission(
request.user.usergroup, self.required_groups
)
return request.user and has_group_permission
def has_object_permission(self, request, view, obj):
has_group_permission = _has_group_permission(
request.user.usergroup, self.required_groups
)
return request.user and has_group_permission
视图.py
在views中设置IsAdminUser以设置该权限