django权限管理(Permission)

什么是权限管理

  • 权限管理,一般指根据系统设置的安全规则或者安全策略,用户可以访问而且只能访问自 己被授权的资源
  • 权限管理好比如钥匙,有了钥匙就能把门打开,但是权限设置是有级别之分的,假如这个 系统有多个权限级别就如一间屋有多个门,想要把所有门都打开您必须要取得所有的钥 匙,就如系统一样。

django权限机制

  • django权限机制能够约束用户行为,控制页面的显示内容,也能使API更加安全和灵活;用好权限机制,能让系统更加强大和健壮

django权限控制

  • Django用user,group和permission完成了权限机制,这个权限机制是将属于model的某个permission赋予user或group,可以理解为全局的权限,即如果用户A对数据模型(model)B有可写权限,那么A能修改model B的所有实例(objects)。group的权限也是如此,如果为group C 赋予model B的可写权限,则隶属于group C的所有用户,都可以修改model B的所有 实例。

Django的权限项

  • Django用permission对象存储权限项,每个model默认都有三个permission,即add model, change model和delete model permission总是与model对应的,如果一个object不是model的实例,我们无法为它创建 /分配权限

默认权限

  • 在 INSTALLED_APPS 设置中列出django.contrib.auth 后,安装的各个应用中的每个 Django 模 型默认都有三个权限:添加、修改和删除。每次运行 manage.py migrate 命令创建新模型时都 会为其赋予这三个权限。

分组

  • django.contrib.auth.models.Group 模型是为用户分类的通用方式,这样便可以为一批用户 赋予权限或添加其 他标注。用户所属的分组数量不限。一个分组中的用户自动获得赋予那 个分组的权限。
  • 除了权限之外,分组还是为用户分类的便捷方式,分组后可以给用户添加标签,或者扩展功能

权限应用

  • Permission
  • User Permission
  • Group Permission
  • 权限检查
Permission
  • Django定义每个model后,默认都会添加该model的add, change和delete三个 permission,自定义的permission可以在我们定义model时手动添加
class Server(models.Model):
...
class Meta:
    permissions = (
    ("view_server", "can view server"),
    ("change_server_status", "Can change the status of server"),
    )
    #codename == view_server权限验证项
    #name == can view server 可读的名称
  • 每个permission都是django.contrib.auth.Permission类型的实例,该类型包含三个字段 name, codename 和 content_type

content_type反应了permission属于哪个model, codename 如上面的view_server,代码逻辑中检查权限时要用, name是permission的描述,将permission打印到屏幕或页面时默认显示的就是name

User Permission
  • User对象的user_permission字段管理用户的权限
user = User.objects.get(username="rock")
user.user_permissions = [permission_list]
user.user_permissions.add(permission, permission, …) #增加权限
user.user_permissions.remove(permission, permission, …) #删除权限
user.user_permissions.clear() #清空权限
user.get_all_permissions() #列出用户的所有权限
user.get_group_permissions() # 列出用户所属group的权限
  • 练习
In [1]: from django.contrib.auth.models import  Group,User,Permission
In [3]: user  = User.objects.get(username='rock-1')
In [4]: user.groups.all
Out[4]: <bound method BaseManager.all of <django.db.models.fields.related_descriptors.create_forward_many_to_many_manager.<locals>.ManyRelatedManager object at 0x7fd86cf49ef0>>
In [5]: user.groups.all()
Out[5]: <QuerySet [<Group: 51reboot>]>

In [6]: user.user_permissions.all()
Out[6]: <QuerySet []>
In [7]: per = Permission.objects.get(id=21)
In [8]: per.codename
Out[8]: 'delete_idc'

In [9]: user.user_permissions.add(per)

In [10]: user.user_permissions.all()
Out[10]: <QuerySet [<Permission: resources | idc | Can delete idc>]>

In [11]: user.user_permissions.remove(per)

In [12]: user.user_permissions.all()
Out[12]: <QuerySet []>

In [13]: user.user_permissions.add(per)

In [14]: user.user_permissions.clear()

In [15]: user.user_permissions.add(per)

In [16]: user.get_all_permissions()
Out[16]: 
{'admin.add_logentry',
 'admin.change_logentry',
 'admin.delete_logentry',
 'auth.add_group',
 'auth.add_permission',
 'auth.add_user',
 'auth.change_group',
 'auth.change_permission',
 'auth.change_user',
 'auth.delete_group',
 'auth.delete_permission',
 'auth.delete_user',
 'contenttypes.add_contenttype',
 'contenttypes.change_contenttype',
 'contenttypes.delete_contenttype',
 'resources.add_idc',
 'resources.change_idc',
 'resources.delete_idc',
 'sessions.add_session',
 'sessions.change_session',
 'sessions.delete_session'}

In [17]: user.groups.clear()

In [18]: user.get_all_permissions()
Out[18]: 
{'admin.add_logentry',
 'admin.change_logentry',
 'admin.delete_logentry',
 'auth.add_group',
 'auth.add_permission',
 'auth.add_user',
 'auth.change_group',
 'auth.change_permission',
 'auth.change_user',
 'auth.delete_group',
 'auth.delete_permission',
 'auth.delete_user',
 'contenttypes.add_contenttype',
 'contenttypes.change_contenttype',
 'contenttypes.delete_contenttype',
 'resources.add_idc',
 'resources.change_idc',
 'resources.delete_idc',
 'sessions.add_session',
 'sessions.change_session',
 'sessions.delete_session'}

In [19]: user.get_group_permissions()
Out[19]: 
{'admin.add_logentry',
 'admin.change_logentry',
 'admin.delete_logentry',
 'auth.add_group',
 'auth.add_permission',
 'auth.add_user',
 'auth.change_group',
 'auth.change_permission',
 'auth.change_user',
 'auth.delete_group',
 'auth.delete_permission',
 'auth.delete_user',
 'contenttypes.add_contenttype',
 'contenttypes.change_contenttype',
 'contenttypes.delete_contenttype',
 'resources.add_idc',
 'resources.change_idc',
 'resources.delete_idc',
 'sessions.add_session',
 'sessions.change_session',
 'sessions.delete_session'}

In [20]: user.groups.all()
Out[20]: <QuerySet []>
Group Permission
  • group permission管理逻辑与user permission管理一致,group中使用permissions字段做 权限管理
group.permissions.set([permission_list])#设置权限
group.permissions.add(permission, permission, …)#添加权限
group.permissions.remove(permission, permission, …)#删除权限
group.permissions.clear()#情况权限
  • 练习
In [40]: group = Group.objects.get(name='51reboot')#取出一个组
In [41]: group.permissions.all()#列出组所有权限
Out[41]: <QuerySet [<Permission: admin | log entry | Can add log entry>, <Permission: admin | log entry | Can change log entry>, <Permission: admin | log entry | Can delete log entry>, <Permission: auth | group | Can add group>, <Permission: auth | group | Can change group>, <Permission: auth | group | Can delete group>, <Permission: auth | permission | Can add permission>, <Permission: auth | permission | Can change permission>, <Permission: auth | permission | Can delete permission>, <Permission: auth | user | Can add user>, <Permission: auth | user | Can change user>, <Permission: auth | user | Can delete user>, <Permission: contenttypes | content type | Can add content type>, <Permission: contenttypes | content type | Can change content type>, <Permission: contenttypes | content type | Can delete content type>, <Permission: resources | idc | Can add idc>, <Permission: resources | idc | Can change idc>, <Permission: resources | idc | Can delete idc>, <Permission: sessions | session | Can add session>, <Permission: sessions | session | Can change session>, '...(remaining elements truncated)...']>

In [42]: permission = Permission.objects.get(id=20)#先取出一个权限(Can change idc)

In [43]: group.permissions.remove(permission)#从组里删除这个权限

In [44]: group.permissions.all()#再次查看权限
Out[44]: <QuerySet [<Permission: admin | log entry | Can add log entry>, <Permission: admin | log entry | Can change log entry>, <Permission: admin | log entry | Can delete log entry>, <Permission: auth | group | Can add group>, <Permission: auth | group | Can change group>, <Permission: auth | group | Can delete group>, <Permission: auth | permission | Can add permission>, <Permission: auth | permission | Can change permission>, <Permission: auth | permission | Can delete permission>, <Permission: auth | user | Can add user>, <Permission: auth | user | Can change user>, <Permission: auth | user | Can delete user>, <Permission: contenttypes | content type | Can add content type>, <Permission: contenttypes | content type | Can change content type>, <Permission: contenttypes | content type | Can delete content type>, <Permission: resources | idc | Can add idc>, <Permission: resources | idc | Can delete idc>, <Permission: sessions | session | Can add session>, <Permission: sessions | session | Can change session>, <Permission: sessions | session | Can delete session>]>

In [45]: group.permissions.add(permission)添加权限

In [46]: group.permissions.all()#再次查看权限
Out[46]: <QuerySet [<Permission: admin | log entry | Can add log entry>, <Permission: admin | log entry | Can change log entry>, <Permission: admin | log entry | Can delete log entry>, <Permission: auth | group | Can add group>, <Permission: auth | group | Can change group>, <Permission: auth | group | Can delete group>, <Permission: auth | permission | Can add permission>, <Permission: auth | permission | Can change permission>, <Permission: auth | permission | Can delete permission>, <Permission: auth | user | Can add user>, <Permission: auth | user | Can change user>, <Permission: auth | user | Can delete user>, <Permission: contenttypes | content type | Can add content type>, <Permission: contenttypes | content type | Can change content type>, <Permission: contenttypes | content type | Can delete content type>, <Permission: resources | idc | Can add idc>, <Permission: resources | idc | Can change idc>, <Permission: resources | idc | Can delete idc>, <Permission: sessions | session | Can add session>, <Permission: sessions | session | Can change session>, '...(remaining elements truncated)...']>

In [48]: group.permissions.set([permission])#设置权限,会清空之前的所有权限,传入一个权限列表

In [49]: group.permissions.all()#再次查看权限
Out[49]: <QuerySet [<Permission: resources | idc | Can change idc>]>

In [50]: group.permissions.clear()#清空所有权限

In [51]: group.permissions.all()#再次查看权限
Out[51]: <QuerySet []>
权限验证-普通视图
  • 在视图中验证权限—— permission_required,
  • 当业务逻辑中涉及到权限检查时,decorator能够分离权限验证和核心的业务逻辑,使代码更 简洁,逻辑更清晰。permission的decorator为permission_required
from django.contrib.auth.decorators import login_required, permission_required
@login_required
@permission_required(’dashboard.view_server')
def my_view(request,*args,**kwargs):
权限验证-类视图
from django.utils.decorators import method_decorator
from django.contrib.auth.decorators import login_required, permission_required
class ServerView(TemplateView):
    @method_decorator(login_required)
    @method_decorator(permission_required(“dashboard.view_server”)
    def get(self, request, *args, **kwargs):
    ...
权限验证-view代码中验证
if not request.user.has_perm(’dashboard.view_server')
    return HttpResponse('Forbidden')
权限验证-模板中验证
  • 验证是否有登陆
{% if user.is_authenticated %}
    <p>Welcome, {{ user.username }}. Thanks for logging in.</p>
{% else %}
    <p>Welcome, new user. Please log in.</p>
{% endif %}
  • 验证是否有权限
{% if perms.dashboard.view_server %}
有权限
{% endif %}
PermissionRequiredMixin
from django.contrib.auth.mixins import PermissionRequiredMixin
class IndexView(LoginRequiredMixin,PermissionRequiredMixin,TemplateView):
    template_name = 'index.html'
自定义PermissionRequiredMixin
创建仅限
  • 在模型的 Meta 类中定制权限
class Meta:
    permissions = (
    ("modify_user_status", "修改用户状态"),
    ("modify_user_passwd", "修改用户密码"),
    )
  • 直接创建权限
from resources.models import Idc
from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
content_type = ContentType.objects.get_for_model(Idc)
permission = Permission.objects.create(codename='can_view',
name='Can view Idc',
content_type=content_type)

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏Linux驱动

QT-第一个程序 Hello QT , 以及QT creator介绍

第一个程序 - Hello QT 首先写main.cpp: #include <QApplication> #include <QMainWindow> #in...

3147
来自专栏Jackson0714

【T-SQL性能优化】01.TempDB的使用和性能问题

1462
来自专栏安富莱嵌入式技术分享

【RL-TCPnet网络教程】第39章 RL-TCPnet之TFTP服务器

本章节为大家讲解RL-TCPnet的TFTP服务器应用,学习本章节前,务必要优先学习第38章的TFTP基础知识。有了这些基础知识之后,再搞本章节会有事半功倍的效...

1123
来自专栏Laoqi's Linux运维专列

Ansible 搭建与配置(Ⅱ)

1727
来自专栏Jackson0714

【T-SQL性能优化】01.TempDB的使用和性能问题

33813
来自专栏林德熙的博客

C# 不能用于文件名的字符

在 Windows 有一些字符是不能作为文件名,尝试重命名一个文件,输入/ 就可以看到windows 提示的不能作为文件名的字符

542
来自专栏灯塔大数据

每周学点大数据 | No.66 “Hello World”程序—— WordCount(下)

NO.66 “Hello World”程序—— WordCount 接下来把输入文件从磁盘放入 HDFS 中。首先我们来看看 HDFS 的常用命令。 可以使用...

3304
来自专栏张戈的专栏

Linux运维工程师:30道面试题整理

前段时间,我在准备面试的时搜到的一套 Linux 运维工程师面试题,感觉比较全面,一直保存在草稿,刚在整理后台时翻了出来,干脆就发出来好了,以备不时之需。 1....

6995
来自专栏Rgc

mysql数据库优化(四)-项目实战

在flask项目中,防止随着时间的流逝,数据库数据越来越多,导致接口访问数据库速度变慢。所以自己填充数据进行测试及 mysql优化

673
来自专栏逸鹏说道

SQL Server 使用全文索引进行页面搜索

全文引擎使用全文索引中的信息来编译可快速搜索表中的特定词或词组的全文查询。全文索引将有关重要的词及其位置的信息存储在数据库表的一列或多列中。全文索引是一种特殊类...

2595

扫码关注云+社区