一、模板继承
知识点:
users.html / roles.html 继承自 base.html
滑动时,固定
position: fixed;top:60px;bottom:0;left:0;width:200px;
overflow: auto; base.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>base</title>
<!-- 最新版本的 Bootstrap 核心 CSS 文件 -->
<link rel="stylesheet" href="https://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<style type="text/css">
*{padding: 0;margin: 0;}
.header{width: 100%; height: 60px;background-color: #336699;}
.menu{background-color: bisque; position: fixed; top:60px;bottom: 0;left: 0; width: 200px;}
.content{ position: fixed;top: 60px;bottom: 0; right: 0; left: 200px;overflow: auto;padding: 20px;} </style> </head>
<body> <div class="header">
<p>{{ user.name }}</p>
</div> <div class="container">
<div class="menu">
menu
</div> <div class="content">
{% block con %} {% endblock con%}
</div>
</div> </body>
</html>
users.html
{% extends 'base.html' %}
{% block con %}
<h4>用户列表</h4>
{% for user in user_list %}
<p>{{ user }}</p>
{% endfor %}
{% endblock con%}
二、table
知识点:
{% for user in user_list %}
<tr>
<td>{{ forloop.counter }}</td>
<td>{{ user.name }}</td>
<td>
{% for role in user.roles.all %}
{{ role.title }}
{% endfor %}
</td>
<td>
<a href="" class="btn btn-danger">删除</a>
<a href="" class="btn btn-warning">编辑</a>
</td>
</tr>
{% endfor %}users.html
{% extends 'base.html' %}
{% block con %}
<h4>用户列表</h4>
<a href="" class="btn btn-primary">添加</a>
<table class="table table-bordered table-striped">
<thead>
<tr>
<th>序号</th>
<th>姓名</th>
<th>角色</th>
<th>操作</th>
</tr>
</thead>
<tbody>
{% for user in user_list %}
<tr>
<td>{{ forloop.counter }}</td>
<td>{{ user.name }}</td>
<td>
{% for role in user.roles.all %}
{{ role.title }}
{% endfor %}
</td>
<td>
<a href="" class="btn btn-danger">删除</a>
<a href="" class="btn btn-warning">编辑</a>
</td>
</tr>
{% endfor %}
</tbody>
</table>
{% endblock con%}
三、权限不同(按钮 。。。)
用户权限不同,按钮显示就不同!
登录成功后,就已经注册了session
request.session['permission_list'] = permission_list permission_list = request.session.get('permission_list') 0.
{% if "/users/add/" in permission_list %}
<a href="/users/add/" class="btn btn-primary">添加</a>
{% endif %} {% if '/users/delete/(\d+)/' in permission_list %}
<a href="/users/delete/{{ user.pk }}/" class="btn btn-danger">删除</a>
{% endif %} BUT: 不好,不想让 if "/users/add/" 写死,会有 "/roles/add/" 情况,不健壮!怎么办?
不应该根据表名,去判断!!
权限不同,按钮显示就不同 如何做呢?
上面问题的解决办法:
为了扩展,
# 把两条线 合成一个线
/users/..
/roles/...
1.修改表结构
class Permission(models.Model):
title = models.CharField(max_length=32)
url = models.CharField(max_length=32) # 标记出行为
action = models.CharField(max_length=32, default="") group = models.ForeignKey('PermissionGroup', default=1, on_delete=True) def __str__(self):
return self.title class PermissionGroup(models.Model):
title = models.CharField(max_length=32) def __str__(self):
return self.title makemigrations
migrate
注意点:
加了一个权限组表,
将每张表的增删改查,划到一个组里面!
无论多复杂的,最终一定是对数据库的(增删改查) 修改表结构,重新处理中间件,登录页面:
目的:全是为了按钮的粒度,同一个模板,同一个视图,
显示不同的数据,权限
models.py
from django.db import models class User(models.Model):
name = models.CharField(max_length=32)
pwd = models.CharField(max_length=32)
roles = models.ManyToManyField(to='Role') def __str__(self):
return self.name class Role(models.Model):
title = models.CharField(max_length=32)
permission = models.ManyToManyField(to='Permission') def __str__(self):
return self.title class Permission(models.Model):
title = models.CharField(max_length=32)
url = models.CharField(max_length=32) # 标记出行为
action = models.CharField(max_length=32, default="") group = models.ForeignKey('PermissionGroup', default=1, on_delete=True) def __str__(self):
return self.title class PermissionGroup(models.Model):
title = models.CharField(max_length=32) def __str__(self):
return self.title
2.admin 修改 注意:list_display = [] admin.py
from django.contrib import admin
from .models import * class PerConfig(admin.ModelAdmin):
list_display = ['title','url','group','action'] admin.site.register(User)
admin.site.register(Role)
admin.site.register(Permission,PerConfig)
admin.site.register(PermissionGroup)
3.登录之后,重写 initial_session(user,request)
就是:
# 在session中注册权限列表 用户权限
# request.session['permission_list'] = permission_list 不应该是list 而是dict # 在session中注册权限字典
request.session['permission_dict'] = permission_dict
注意点:
permission = user.roles.all().values('permission__url', 'permission__group_id', 'permission__action').distinct()对数据的处理,以组为键
{1: {'urls': ['/users/', '/users/add/', '/users/delete/(\\d+)/', '/users/edit/(\\d+)/'],
'actions': ['list', 'add', 'delete', 'edit']},
2: {'urls': ['/roles/'],
'actions': ['list']}}permission.py
# -*- coding:utf-8 -*- def initial_session(user, request):
# 方案一
# permission = user.roles.all().values('permission__url').distinct()
# # print(permission)
# # 去重后的 所有权限!! 将权限 存在 session 中!!
# # <QuerySet [{'permission__url': '/users/'}, {'permission__url': '/users/add'}]>
#
# permission_list = []
# for item in permission:
# permission_list.append(item['permission__url'])
#
# print(permission_list) # ['/users/', '/users/add']
#
# # 在session中注册权限列表 用户权限
# request.session['permission_list'] = permission_list # 方案二
permission = user.roles.all().values('permission__url', 'permission__group_id', 'permission__action').distinct() print('permission:', permission) # permission: <QuerySet [
# {'permission__url': '/users/',
# 'permission__group_id': 1,
# 'permission__action': 'list'}, # {'permission__url': '/users/add/',
# 'permission__group_id': 1,
# 'permission__action': 'add'}, # {'permission__url': '/users/delete/(\\d+)/',
# 'permission__group_id': 1,
# 'permission__action': 'delete'}, # {'permission__url': '/users/edit/(\\d+)/',
# 'permission__group_id': 1,
# 'permission__action': 'edit'}]> # {'permission__url': 'roles/',
# 'permission__group_id': 2,
# 'permission__action': 'list'}]> # 处理数据 : 以组为键
"""
1:{
"url":['/users/','/users/add','/users/delete/(\\d+)/','/users/edit/(\\d+)']
"action":['list','add','delete','edit']
} 2:{
"url":['/roles/']
"action":['list']
} """ permission_dict = {}
for item in permission:
gid = item.get('permission__group_id')
url = item.get('permission__url')
action = item.get('permission__action') if not gid in permission_dict.keys():
permission_dict[gid] = {
"urls": [url, ],
"actions": [action, ]
} else:
permission_dict[gid]['urls'].append(url)
permission_dict[gid]['actions'].append(action) print(permission_dict)
"""
{1: {'urls': ['/users/', '/users/add/', '/users/delete/(\\d+)/', '/users/edit/(\\d+)/'],
'actions': ['list', 'add', 'delete', 'edit']},
2: {'urls': ['/roles/'],
'actions': ['list']}}
""" # 注册session
# # 在session中注册权限字典 用户权限 request.session['permission_dict'] = permission_dict
4.重写中间件
校验权限 # 注意:妙 !!
request.actions = item["actions"] rbac.py
# -*- coding:utf-8 -*-
from django.shortcuts import HttpResponse, render, redirect
from django.utils.deprecation import MiddlewareMixin
import re class ValidPermission(MiddlewareMixin): def process_request(self,request): current_path = request.path_info # 白名单,不需要任何权限的url
valid_url_list = ['/login/', '/reg/', '/admin/.*'] for valid_url in valid_url_list:
ret = re.match(valid_url, current_path)
if ret:
return # 校验是否登录
user_id = request.session.get('user_id')
if not user_id:
return redirect('/login/') # # 校验权限 1
# permission_list = request.session.get('permission_list',[])
#
# flag = False
# for permission in permission_list:
# # ['/users/', '/users/add/', '/users/edit/(\\d+)/', '/users/delete/(\\d+)/']
# # 需要 ^ $ 限定!!
# permission = "^%s$" % permission
#
# ret = re.match(permission, current_path)
# if ret:
# flag = True
# break
#
# if not flag:
# return HttpResponse('无访问权限!') # 校验权限 2 permission_dict
permission_dict = request.session.get('permission_dict')
for item in permission_dict.values():
urls = item['urls']
for reg in urls:
reg = "^%s$" % reg
ret = re.match(reg, current_path)
if ret:
print("action", item['actions']) # 注意:妙 !!
request.actions = item["actions"] return return HttpResponse('无权访问') """
permission_dict: {1: {'urls': ['/users/', '/users/add/', '/users/delete/(\\d+)/', '/users/edit/(\\d+)/'],
'actions': ['list', 'add', 'delete', 'edit']},
2: {'urls': ['/roles/'],
'actions': ['list']}} """
5.重写users()视图,以及users.html
1.也可以实现:
{% if "add" in request.actions %}
<a href="/users/add/" class="btn btn-primary">添加</a>
{% endif %}
BUT: 还可以更好:用类来实现!!
{% if per.add %}
<a href="/users/add/" class="btn btn-primary">添加</a>
{% endif %}
{% if per.delete %}
<a href="" class="btn btn-danger">删除</a>
{% endif %}
-------
per = Per(request.actions)
class Per(object):
def __init__(self,actions):
self.actions = actions
def add(self):
return "add" in self.actions
def delete(self):
return "delete" in self.actions
def edit(self):
return "edit" in self.actions
def list(self):
return "list" in self.actions
views.py
from django.shortcuts import render,HttpResponse,redirect
import re from rbac.models import *
from rbac.service.permission import initial_session class Per(object):
def __init__(self,actions):
self.actions = actions def add(self):
return "add" in self.actions def delete(self):
return "delete" in self.actions def edit(self):
return "edit" in self.actions def list(self):
return "list" in self.actions def users(request):
user_list = User.objects.all() user_id = request.session.get('user_id')
user = User.objects.filter(id=user_id).first() per = Per(request.actions) return render(request,'users.html',locals())
users.html
{% extends 'base.html' %}
{% block con %}
<h4>用户列表</h4>
{# {% if "/users/add/" in permission_list %}#}
{# {% if "add" in request.actions %}#}
{% if per.add %}
<a href="/users/add/" class="btn btn-primary">添加</a>
{% endif %}
<table class="table table-bordered table-striped">
<thead>
<tr>
<th>序号</th>
<th>姓名</th>
<th>角色</th>
<th>操作</th>
</tr>
</thead>
<tbody>
{% for user in user_list %}
<tr>
<td>{{ forloop.counter }}</td>
<td>{{ user.name }}</td>
<td>
{% for role in user.roles.all %}
{{ role.title }}
{% endfor %}
</td>
<td>
{% if per.delete %}
<a href="" class="btn btn-danger">删除</a>
{% endif %}
{% if per.edit %}
<a href="" class="btn btn-warning">编辑</a>
{% endif %}
</td>
</tr>
{% endfor %}
</tbody>
</table>
{% endblock con%}
四、效果
不同的用户,具有不同的权限,
权限不同,显示的按钮就不同!!
权限粒度控制 简单控制:
{% if "users/add" in permissions_list%} 摆脱表控制 更改数据库结构
class Permission(models.Model):
title=models.CharField(max_length=32)
url=models.CharField(max_length=32) action=models.CharField(max_length=32,default="")
group=models.ForeignKey("PermissionGroup",default=1)
def __str__(self):return self.title class PermissionGroup(models.Model):
title = models.CharField(max_length=32) def __str__(self): return self.title 登录验证:
permissions = user.roles.all().values("permissions__url","permissions__group_id","permissions__action").distinct() 构建permission_dict permissions:
[ {'permissions__url': '/users/add/',
'permissions__group_id': 1,
'permissions__action': 'add'}, {'permissions__url': '/roles/',
'permissions__group_id': 2,
'permissions__action': 'list'}, {'permissions__url': '/users/delete/(\\d+)',
'permissions__group_id': 1,
'permissions__action': 'delete'}, {'permissions__url': 'users/edit/(\\d+)',
'permissions__group_id': 1,
'permissions__action': 'edit'}
] permission_dict
{ 1: {
'urls': ['/users/', '/users/add/', '/users/delete/(\\d+)', 'users/edit/(\\d+)'],
'actions': ['list', 'add', 'delete', 'edit']}, 2: {
'urls': ['/roles/'],
'actions': ['list']} } 中间件校验权限:
permission_dict=request.session.get("permission_dict") for item in permission_dict.values():
urls=item['urls']
for reg in urls:
reg="^%s$"%reg
ret=re.match(reg,current_path)
if ret:
print("actions",item['actions'])
request.actions=item['actions']
return None return HttpResponse("没有访问权限!") 思考:
菜单权限显示
笔记
五、权限不同(菜单。。。)
权限不同,菜单栏不同 只有查看,有必要放到菜单栏!
即:action == list 放到 菜单栏中 1.用户登录后,在initial_session中,注册菜单权限 注意:permission__group__title 还可以这样用,跨了3张表!! permissions = user.roles.all().values('permission__url', 'permission__action',
'permission__group__title').distinct() menu_permission_list = []
for item in permissions:
if item['permission__action'] == 'list':
menu_permission_list.append((item['permission__url'], item['permission__group__title'])) print(menu_permission_list)
# [('/users/', '用户管理'), ('/roles/', '角色管理')] request.session['menu_permission_list'] = menu_permission_list
2.menu
menu_permission_list = request.session.get('menu_permission_list') base.html
{% for item in menu_permission_list %}
<p class="menu_btn"><a href="{{ item.0 }}">{{ item.1 }}</a></p>
{% endfor %} 可以实现,菜单显示!但是不行,为什么? 因为模板继承,只继承样式,不继承数据!所有需要用到 自定义标签(inclusion_tag) 3.自定义标签(inclusion_tag)
rbac/templatetags/my_tags.py
from django import template
register = template.Library() @register.inclusion_tag('menu.html')
def get_menu(request):
# 获取当前用户,应该放到菜单栏的权限
menu_permission_list = request.session.get('menu_permission_list') return {'menu_permission_list':menu_permission_list} menu.html:
<div>
{% for item in menu_permission_list %}
<p class="menu_btn"><a href="{{ item.0 }}">{{ item.1 }}</a></p>
{% endfor %} </div> base.html
{% load my_tags %}
<div class="menu">
{% get_menu request %}
</div>
4.包...建在哪个App
属于权限的就建在rbac的APP里,因为rpac最后是可插拔的组件!! users.html / roles.html / base.html / menu.html
是和权限相关的,所以应该放在 rbac/templates/... 方便以后copy走!! djangod的render去渲染 .html 时,先到项目的 templates 下找,找不到,再到App下 templates 下找,
最后找不到,才报错!! 如果多个App的templates 下的.html重名怎么办? django 会根据注册的顺序显示!
解决办法:
项目/rbac/templates/rbac/xxx.html 这时调用:
return render(request, 'rbac/users.html', locals()) 注意:
templates 或者 templatetag 注意多个app下面 的文件名 有可能都会重名!!
办法:就是 eg:/rbac/templates/rbac/xxx.html 或者不起重名 注意:
如果 base.html 在项目下有,在App下有,先找项目下的,找不到才找App
全局可以覆盖局部的!!
六、效果
用户的权限不同,
显示的菜单栏,就不同,
按钮也不同
七、路径自动添加
知识点:路径自动添加问题:
http://127.0.0.1:8010/users
http://127.0.0.1:8010/users/ 浏览器发请求:
django 发现之后,发了一个重定向的 url 加了一个 /
所有才能匹配上:
path('users/', views.users), 如何让django不给浏览器发重定向,不加 /
配置:
APPEND_SLASH = False APPEND_SLASH = True # 默认为 True ajax 也是,django会默认的加 / 发重定向
八、rbac_code
原始版