自定义权限校验
注册增加group_id字段
... @api_view(['POST']) def register(request: Request): if DUser.objects.filter(username=request.data["username"]).count() > 0: return Response({ "code": 400, "msg": "用户已存在" }) user = DUser.objects.create_user(username=request.data["username"], password=request.data["password"]) user.groups.add(request.data["group_id"]) return Response({ "code": 0, "msg": "注册成功" })
serializers.py
... class PermissionSerializer(serializers.ModelSerializer): class Meta: model = Permission fields = ['id' ,'url', 'name','content_type','codename']
views.py
... class PermissionViewSet(viewsets.ModelViewSet): """ API endpoint that allows groups to be viewed or edited. """ queryset = Permission.objects.all() serializer_class = PermissionSerializer permission_classes = [permissions.IsAuthenticated]
urls.py
... router.register(r'permission', views.PermissionViewSet)
请求/permission/接口能查到所有权限id,和codename
由于Django REST framework的增删改查接口没有权限校验,必须手动写逻辑,在增删改查前校验,是否有权限,使用user.has_perm()方法来判断用户是否已经拥有相应权限。
参数为app的name.codename
... class DUserViewSet(viewsets.ModelViewSet): """ API endpoint that allows users to be viewed or edited. """ queryset = DUser.objects.all().order_by('-date_joined') serializer_class = DUserSerializer permission_classes = [permissions.IsAuthenticated] def create(self, request, *args, **kwargs): user: User = request.user print(user.get_group_permissions()) if user.has_perm("authen.add_duser"): return super().create(request, *args, **kwargs) else: return Response({ "code": 400, "msg": "用户无权限" }) def destroy(self, request, *args, **kwargs): user: User = request.user print(user.get_group_permissions()) if user.has_perm("authen.delete_duser"): super().destroy(request, *args, **kwargs) return Response({ "code": 200, "msg": "删除成功" }) else: return Response({ "code": 400, "msg": "用户无权限" })
此时请求新增用户和删除用户会提示用户无权限
{
"code": 400,
"msg": "用户无权限"
}
group视图添加set_permissions方法
... class GroupViewSet(viewsets.ModelViewSet): """ API endpoint that allows groups to be viewed or edited. """ queryset = Group.objects.all() serializer_class = GroupSerializer permission_classes = [permissions.IsAuthenticated] @action(methods=['POST'],detail=True) def set_permissions(self,request: Request, pk=None): group = self.get_object() group.permissions.set(request.data["permissions"]) return Response({ "code": 0, "msg": "操作成功" })
根据/permission/接口查到权限id赋予用户接口增删改查权限
再次请求添加用户接口
再次请求删除用户接口
添加的自定义方法也可以给权限
改写group视图
... class GroupViewSet(viewsets.ModelViewSet): """ API endpoint that allows groups to be viewed or edited. """ queryset = Group.objects.all() serializer_class = GroupSerializer permission_classes = [permissions.IsAuthenticated] @action(methods=['POST'],detail=True) def set_permissions(self,request: Request, pk=None): user: User = request.user print(user.get_group_permissions()) if user.has_perm("authen.set_group_permissions"): group = self.get_object() group.permissions.set(request.data["permissions"]) return Response({ "code": 0, "msg": "操作成功" }) else: return Response({ "code": 400, "msg": "用户无权限" })
添加set_group_permissions权限
再请求set_permission接口会提示无权限,通过管理员token请求可成功赋予权限
至此django用户管理及权限验证的后台接口基本后端框架就完成了,还有一些细节需要自己去改进,然后就是选择前端框架编写前端页面。