从FBV到CBV三（权限）

2024-03-02 20:19:51

丛FBC到CBV三(权限)

权限

准备数据表

用户组(group)
id	group_name
1	usual
2	vip
3	svip
4	admin

用户(user)
id	username	password	group_id
1	Joshua	123	1
2	William	123	2
3	Daniel	123	3
4	Michael	123	4

创建项目及app：

models.py <wiz_code_mirror> 19 19 1

# -*- coding:utf-8 -*-

from django.db import models

class Group(models.Model):

    id = models.AutoField(primary_key=True)

    group_name = models.CharField(max_length=40)

    class Meta:

        db_table = 'group'

class User(models.Model):

    id = models.AutoField(primary_key=True)

    username = models.CharField(max_length=40,unique=True)

    password = models.CharField(max_length=40)

    group_id = models.ForeignKey(Group, default=1)

    class Meta:

        db_table = 'user'

views.py <wiz_code_mirror> 16 16 1

from django.http.response import JsonResponse

from rest_framework.views import APIView

from permissions.models import User, Group

class Users(APIView):

    def get(self, request):

        users = User.objects.all().values()

        return JsonResponse(list(users), safe=False)

class Groups(APIView):

    def get(self, request):

        groups = Group.objects.all().values()

        return JsonResponse(list(groups), safe=False)

urls.py <wiz_code_mirror> 9 9 1

from django.conf.urls import url

from django.contrib import admin

from permissions.views import Users, Groups

urlpatterns = [

    url(r'^admin/', admin.site.urls),

    url(r'^user/$', Users.as_view(), name='user'),

    url(r'^group/$', Groups.as_view(), name='group'),

Postman提交请求：

现在新建了一张MemberPrograms表，里面的内容是只给会员用户展示的实现这个功能：

会员项目(member_programs)
id	program_name
1	书法长卷
2	书法碑帖
3	墓志塔铭
4	兰亭集序

定义models <wiz_code_mirror> 6 6 1

class MemberProgram(models.Model):

    id = models.AutoField(primary_key=True)

    program_name = models.CharField(max_length=100)

    class Meta:

        db_table = 'member_program'

定义url以及视图函数： <wiz_code_mirror> 9 9 1

from django.conf.urls import url

from permissions.views import Users, Groups, MemberPrograms

urlpatterns = [

    url(r'^user/$', Users.as_view(), name='user'),

    url(r'^group/$', Groups.as_view(), name='group'),

    url(r'^program/$', MemberPrograms.as_view(), name='program'),

<wiz_code_mirror> 4 4 1

class MemberPrograms(APIView):

    def get(self, request):

        programs = MemberProgram.objects.all().values()

        return JsonResponse(list(programs), safe=False)

测试：

现在接口已经实现了，但是我们要对这个接口增加权限控制，只允许vip,svip,admin用户访问，代码实现：方法一：上一章我们实现了自定义认证的中间件，现在可以利用起来，修改如下： <wiz_code_mirror> 1 25 1

class MyAuthentication(BaseAuthentication):

    def authenticate(self, request):

        name = request._request.GET.get('username')

        print(name)

        return (name, None)

class MemberPrograms(APIView):

    authentication_classes = [MyAuthentication, ]

    def get(self, request):

        if not request.user:            # 没用用户身份，不允许访问

            ret = {'code': 1002, 'error': '权限被拒'}

            return JsonResponse(ret)

        username = request.user

        try:

            group_name = User.objects.get(username=username).group.group_name

        except User.DoesNotExist:            # 用户身份不存在，返回错误信息

            ret = {'code': 1003, 'error': '用户不存在'}

            return JsonResponse(ret)

        if group_name == 'usual':           # 是普通用户，没有权限

            ret = {'code': 1002, 'error': '权限被拒'}

            return JsonResponse(ret)

        programs = MemberProgram.objects.all().values()    # 用户权限满足条件 返回接口信息

        return JsonResponse(list(programs), safe=False)

测试：

上面实现了接口对用户权限的控制，实际项目代码不会这么简单，需要通过token进行判断，这里只是简单实现方法二：利用restframework的permission组件实现：

from rest_framework.authentication import BaseAuthentication
from rest_framework.permissions import BasePermission
from rest_framework.exceptions import PermissionDenied

lass MyAuthentication(BaseAuthentication):
    def authenticate(self, request):
        name = request._request.GET.get('username')
        print(name)
        return (name, None)

class MyPermission(BasePermission):
    def has_permission(self, request, view):
        if not request.user:
            raise PermissionDenied('权限被拒')
        username = request.user
        try:
            group_name = User.objects.get(username=username).group.group_name
        except User.DoesNotExist:
            raise PermissionDenied('用户不存在')
        if group_name == 'usual':
            raise PermissionDenied('权限被拒')
        return True

class MemberPrograms(APIView):
    authentication_classes = [MyAuthentication, ]
    permission_classes = [MyPermission, ]

def get(self, request):
        programs = MemberProgram.objects.all().values()
        return JsonResponse(list(programs), safe=False)

<wiz_code_mirror>

from rest_framework.authentication import BaseAuthentication

from rest_framework.permissions import BasePermission

from rest_framework.exceptions import PermissionDenied

lass MyAuthentication(BaseAuthentication):

    def authenticate(self, request):

        name = request._request.GET.get('username')

        print(name)

        return (name, None)

class MyPermission(BasePermission):

    def has_permission(self, request, view):

        if not request.user:

            raise PermissionDenied('权限被拒')

        username = request.user

        try:

            group_name = User.objects.get(username=username).group.group_name

        except User.DoesNotExist:

            raise PermissionDenied('用户不存在')

        if group_name == 'usual':

            raise PermissionDenied('权限被拒')

        return True

class MemberPrograms(APIView):

    authentication_classes = [MyAuthentication, ]

    permission_classes = [MyPermission, ]

    def get(self, request):

        programs = MemberProgram.objects.all().values()

        return JsonResponse(list(programs), safe=False)

上面的例子中我们都是将认证类和权限类注册在了对应的view视图中，其实要是项目中多数视图需要进行以上验证，那就可将自定义的认证类和权限类放在一个单独的文件中，然后注册到seeting.py中：

在seeting.py中添加下面内容：

码农公寓

权限

准备数据表

创建项目及app：

相关文章