CRM客户关系管理系统(十三) 第十三章、用户自定义认证第十四章、万能通用权限框架设计
CRM客户关系管理系统(十三) 第十三章、用户自定义认证第十四章、万能通用权限框架设计
zhang_derek
发布于 2018-05-30 14:29:37
发布于 2018-05-30 14:29:37
文章被收录于专栏:有趣的django
第十三章、用户自定义认证
13.1.用户自定义认证
- class Meta:
abstract = True (不会创建表,只把字段继承给子类)
- django加密方式:md5 + 盐
- account
LADP:轻量级目录账号管理协议(集中账号管理):通过网络到LDAP服务器上进行验证
- SSO:Single Sign on (单点登录)
(1)settings.py
AUTH_USER_MODEL = 'crm.UserProfile'(2)crm/models.py
class UserProfileManager(BaseUserManager):
def create_user(self, email, name, password=None):
"""
Creates and saves a User with the given email, date of
birth and password.
"""
if not email:
raise ValueError('Users must have an email address')
user = self.model(
email=self.normalize_email(email),
name=name,
)
user.set_password(password)
user.save(using=self._db)
return user
def create_superuser(self, email, name, password):
"""
Creates and saves a superuser with the given email, date of
birth and password.
"""
user = self.create_user(
email,
password=password,
name=name,
)
user.is_admin = True
user.save(using=self._db)
return user
class UserProfile(AbstractBaseUser,PermissionsMixin):
email = models.EmailField(
verbose_name='email address',
max_length=255,
unique=True,
)
name = models.CharField(max_length=64)
role = models.ManyToManyField(Role, blank=True, null=True)
is_active = models.BooleanField(default=True)
is_admin = models.BooleanField(default=False)
is_staff = models.BooleanField(default=False)
#创建用户和超级用户,关联上面的
objects = UserProfileManager()
USERNAME_FIELD = 'email'
#必须要有的字段
REQUIRED_FIELDS = ['name']
def __str__(self):
return self.email
def has_perm(self, perm, obj=None):
"Does the user have a specific permission?"
# Simplest possible answer: Yes, always
return True
def has_module_perms(self, app_label):
"Does the user have permissions to view the app `app_label`?"
# Simplest possible answer: Yes, always
return True
def get_full_name(self):
# The user is identified by their email address
return self.email
def get_short_name(self):
# The user is identified by their email address
return self.email
@property
def is_staff(self):
"Is the user a member of staff?"
# Simplest possible answer: All admins are staff
return self.is_admin(3)crm/admin.py
from django import forms
from django.contrib import admin
from django.contrib.auth.models import Group
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from django.contrib.auth.forms import ReadOnlyPasswordHashField
from crm.models import UserProfile
class UserCreationForm(forms.ModelForm):
"""A form for creating new users. Includes all the required
fields, plus a repeated password."""
password1 = forms.CharField(label='Password', widget=forms.PasswordInput)
password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)
class Meta:
model = UserProfile
fields = ('email', 'name')
#进行验证
def clean_password2(self):
# Check that the two password entries match
password1 = self.cleaned_data.get("password1")
password2 = self.cleaned_data.get("password2")
if password1 and password2 and password1 != password2:
raise forms.ValidationError("Passwords don't match")
return password2
def save(self, commit=True):
# Save the provided password in hashed format
#继承基类的save()
user = super(UserCreationForm, self).save(commit=False)
#把明文密码改成密文
user.set_password(self.cleaned_data["password1"])
if commit:
user.save()
return user
class UserChangeForm(forms.ModelForm):
"""A form for updating users. Includes all the fields on
the user, but replaces the password field with admin's
password hash display field.
"""
#把密码改成哈希的了
password = ReadOnlyPasswordHashField()
class Meta:
model = UserProfile
fields = ('email', 'password', 'name', 'is_active', 'is_superuser')
def clean_password(self):
# Regardless of what the user provides, return the initial value.
# This is done here, rather than on the field, because the
# field does not have access to the initial value
return self.initial["password"]
class UserProfileAdmin(BaseUserAdmin):
# The forms to add and change user instances
form = UserChangeForm
add_form = UserCreationForm
# The fields to be used in displaying the User model.
# These override the definitions on the base UserAdmin
# that reference specific fields on auth.User.
list_display = ('email', 'name','is_superuser')
list_filter = ('is_superuser',)
fieldsets = (
(None, {'fields': ('email', 'password')}),
('Personal info', {'fields': ('name',)}),
('Permissions', {'fields': ('is_staff','is_active','role','user_permissions','groups','is_superuser')}),
)
# add_fieldsets is not a standard ModelAdmin attribute. UserAdmin
# overrides get_fieldsets to use this attribute when creating a user.
add_fieldsets = (
(None, {
'classes': ('wide',),
'fields': ('email', 'name', 'password1', 'password2')}
),
)
search_fields = ('email',)
ordering = ('email',)
filter_horizontal = ('role','user_permissions','groups')
# Now register the new UserProfileAdmin...
admin.site.register(UserProfile, UserProfileAdmin)
# ... and, since we're not using Django's built-in permissions,
# unregister the Group model from admin.
# admin.site.unregister(Group)第十四章、万能通用权限框架设计
14.1.万能通用权限框架设计
(1)kingadmin/permission_list.py
所有权限列表
# kingamdin/permission.py
perm_dic = {
# 'crm_table_index': ['table_index', 'GET', [], {}, ], # 可以查看CRM APP里所有数据库表
'crm_table_list': ['table_obj_list', 'GET', [], {}], # 可以查看每张表里所有的数据
# 'crm_table_list': ['table_obj_list', 'GET', [], {'source':0,'status':0}], # 添加参数:只能访问来源是qq和未报名的客户
'crm_table_list_view': ['table_obj_change', 'GET', [], {}], # 可以访问表里每条数据的修改页
'crm_table_list_change': ['table_obj_change', 'POST', [], {}], # 可以对表里的每条数据进行修改
'crm_table_list_add_view': ['table_obj_add ', 'GET', [], {}], # 可以访问数据增加页
'crm_table_list_add': ['table_obj_add ', 'POST', [], {}], # 可以添加表数据
}value[0]跟kingadmin/url.py里面的url_name一致
(2)kingadmin/permissions
# kingadmin/permissions.py
# from django.core.urlresolvers import resolve
from django.urls import resolve
from django.shortcuts import render,redirect,HttpResponse
from kingadmin.permission_list import perm_dic
from django.conf import settings
def perm_check(*args,**kwargs):
#1.获取当前请求的url
#2.把url解析成url_name(通过resolve)
#3.判断用户是否已登录(user.is_authenticated())
#3.拿url_name到permission_dict去匹配,匹配时要包括请求方法和参数
#4.拿匹配到可权限key,调用user.has_perm(key)
match_results = [None,]
request = args[0]
resolve_url_obj = resolve(request.path)
#通过resolve解析出当前访问的url_name
current_url_name = resolve_url_obj.url_name
print('---perm:',request.user,request.user.is_authenticated(),current_url_name)
#match_flag = False
match_key = None
#判断用户是否登录
if request.user.is_authenticated() is False:
return redirect(settings.LOGIN_URL)
for permission_key,permission_val in perm_dic.items():
#key和value(值有四个参数): 比如 'crm_table_index': ['table_index', 'GET', [], {}, ]
per_url_name = permission_val[0]
per_method = permission_val[1]
perm_args = permission_val[2]
perm_kwargs = permission_val[3]
#如果当前访问的url_name匹配上了权限里面定义的url_name
if per_url_name == current_url_name:
#url_name匹配上,接着匹配方法(post,get....)
if per_method == request.method:
# if not perm_args: #if no args defined in perm dic, then set this request to passed perm
#逐个匹配参数,看每个参数是否都能对应的上。
args_matched = False #for args only
for item in perm_args:
#通过反射获取到request.xxx函数 这里request_methon_func = request.GET/request.POST
request_method_func = getattr(request,per_method)
if request_method_func.get(item,None): # request字典中有此参数
args_matched = True
else:
print("arg not match......")
args_matched = False
break # 有一个参数不能匹配成功,则判定为假,退出该循环。因为可能有很多参数,必须所有参数都一样才匹配成功
else: # perm_dic里面的参数可能定义的就是空的,就走这里
args_matched = True
#匹配有特定值的参数
kwargs_matched = False
for k,v in perm_kwargs.items():
request_method_func = getattr(request, per_method)
arg_val = request_method_func.get(k, None) # request字典中有此参数
print("perm kwargs check:",arg_val,type(arg_val),v,type(v))
if arg_val == str(v): #匹配上了特定的参数 及对应的 参数值, 比如,需要request 对象里必须有一个叫 user_id=3的参数
kwargs_matched = True
else:
kwargs_matched = False
break # 有一个参数不能匹配成功,则判定为假,退出该循环。
else:
kwargs_matched = True
match_results = [args_matched,kwargs_matched]
print("--->match_results ", match_results)
#列表里面的元素都为真
if all(match_results): #都匹配上了
match_key = permission_key
break
if all(match_results):
#主要是获取到app_name
app_name, *per_name = match_key.split('_')
print("--->matched ",match_results,match_key)
print(app_name, *per_name)
#per_obj = 例如:crm.crm_obj_list
perm_obj = '%s.%s' % (app_name,match_key)
print("perm str:",perm_obj)
if request.user.has_perm(perm_obj):
print('当前用户有此权限')
return True
else:
print('当前用户没有该权限')
return False
else:
print("未匹配到权限项,当前用户无权限")
def check_permission(func):
def inner(*args,**kwargs):
if not perm_check(*args,**kwargs):
request = args[0]
return render(request,'kingadmin/page_403.html')
return func(*args,**kwargs)
return inner获取到表的名字的时候用到了 *per_name和split,具体用法解释:
(3)page_403.html
{#kingadmin/templates/kingamdin/page_403.html#}
{% extends 'kingadmin/base.html' %}
{% block body %}
<div class="row col-lg-offset-2">
<h1 style="font-size: 200px;">403</h1>
<h4>You have no permission to access this page</h4>
</div>
{% endblock %}(4)crm/models.py
Meta里面加入权限
class UserProfile(AbstractBaseUser,PermissionsMixin):
email = models.EmailField(
verbose_name='email address',
max_length=255,
unique=True,
)
name = models.CharField(max_length=64)
role = models.ManyToManyField(Role, blank=True, null=True)
is_active = models.BooleanField(default=True)
is_admin = models.BooleanField(default=False)
is_staff = models.BooleanField(default=True)
#创建用户和超级用户,关联上面的
objects = UserProfileManager()
USERNAME_FIELD = 'email'
#必须要有的字段
REQUIRED_FIELDS = ['name']
def __str__(self):
return self.email
# def has_perm(self, perm, obj=None):
# "Does the user have a specific permission?"
# # Simplest possible answer: Yes, always
# return True
#
# def has_module_perms(self, app_label):
# "Does the user have permissions to view the app `app_label`?"
# # Simplest possible answer: Yes, always
# return True
def get_full_name(self):
# The user is identified by their email address
return self.email
def get_short_name(self):
# The user is identified by their email address
return self.email
# @property
# def is_staff(self):
# "Is the user a member of staff?"
# # Simplest possible answer: All admins are staff
# return self.is_admin
class Meta:
permissions = (
('crm_table_list','可以查看每张表里所有的数据'),
('crm_table_list_view','可以访问表里每条数据的修改页'),
('crm_table_list_change','可以对表里的每条数据进行修改'),
('crm_table_list_add_view','可以访问数据增加页'),
('crm_table_list_add','可以添加表数据'),
)
(5)kingadmin/views.py加装饰器
(6)admin后台管理权限
现在访问客户列表(还有增加修改页面)是没有权限的
必须在后台赋予权限才可以
再访问就可以了
14.2.自定义权限钩子实现
只允许用户访问自己创建的数据,比如只允许销售访问自己创建的客户:
(1)kingadmin/permission_list.py
'crm_table_list': ['table_obj_list', 'GET', [], {},permission_hook.view_my_own_customers], 
(2)kingadmin/permission_hook.py
# kingadmin/permission_hook.py
def view_my_own_customers(request):
#当前登录的用户id 等于客户的顾问的id(销售创建客户的时候,顾问就是销售自己)
#实现销售只能看自己的客户功能
if str(request.user.id) == request.GET.get('consultant'):
return True
else:
return False(3)kingadmin/permissions.py
现在销售就只能看到自己创建的客户了
这样,万通通用的权限框架就开发完毕了,权限的控制可大可小,而且想要移植到其它django项目时, 唯一需要改的,就是配置好perm_dic里的权限条目!
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2018-05-06 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
云服务器
云服务器(Cloud Virtual Machine,CVM)提供安全可靠的弹性计算服务。 您可以实时扩展或缩减计算资源,适应变化的业务需求,并只需按实际使用的资源计费。使用 CVM 可以极大降低您的软硬件采购成本,简化 IT 运维工作。
腾讯云开发者
