[Python Learning] Django Permissions Control

This article gives you an explanation of the permissions model in the Django Framework, from theory to practical walkthrough, to show you how the permissions in Django are all about .

First, the main content

1. What is Rights management?

2. Web Permissions

3. Django Privilege mechanism

4. Django Permission Entries

5. Permission Application

Permission (i)

Permission (b)

User Permission Management (i)

User Permission Management (ii)

Group Permission Management

Permission Validation (i)

Permission Validation (ii)

Permission Validation (iii)

Permission Validation (iv)

Ii. What is Rights management

Rights management, generally refers to the security rules set by the system or security policy, the user can access and only access to their own authorized resource rights management, such as the key, with the key can open the door, but the permission set is the level of the points, if the system has more than one level of access to a room with multiple doors, Want to open all the doors you have to get all the keys, just like the system.

Third, Web permissions

Rights Management in the Web is a key aspect of Web application projects, because browsers are available for every computer, and without a rights management system, an "illegal user" can easily access all the features in a web App project through a browser. Therefore, the rights management system is required for permission detection, so that authorized users can use the authorized functions of the normal and legitimate, and to those unauthorized illegal users to shut out. A good authority management system should assign different system operation permissions to each class or user, and should be extensible, that is, it can be added to any WEB application project with rights Management, as artifacts can be reused. At the same time, remind the developer that when developing a WEB application project, the whole system should be refined as much as possible, decomposed into several sub-modules, and then combined into a complete application. Only in this way can it be easy to assign different operations permissions for each class or user.

Iv. Django Permissions Mechanism

The Django privilege mechanism can 约束用户行为，控制页面的显示内容 also make the API more secure and flexible, and with a good authority mechanism, it can make the system more powerful and robust.

Django completes the privilege mechanism with user, group, and permission, which assigns a permission that belongs to the model to the user or group, which can be understood as a global permission, that is, if user A has a pair of data model B Writable permission, A can modify all instances of model B (objects). The same is true for group permissions, and all instances of Model B can be modified by all users who belong to group C if you give the writable permission to model B for Group C.

Five. Django Permission entries

Django stores permission entries with permission objects, each of which has three permission, the Add model, the change model, and the delete model.

Permission always corresponds to model, if an object is not an instance of model, we cannot create/assign permissions for it

Vi. Application of permissions

Permission

User Permission

Group Permission

Permission check

1, Permission (i)

After Django defines each model, the Add, change, and delete three permission of the model are added by default, and custom permission can be added manually when we define the model

2, Permission (ii)

Each permission is an instance of the Django.contrib.auth.Permission type that contains three fields name, codename, and Content_Type,

Content_Type reflects which model permission belongs to,

Codename such as the above View_server, the code logic to check the permissions to use,

Name is a description of permission, and the default display is name when printing permission to a screen or page

3, User permission Management (i)

The User_permission field of the user object manages permissions for users
user = User.objects.get (username= "Rock")
User.user_permissions = [Permission_list]
User.user_permissions.add (permission, permission, ...) #增加权限
User.user_permissions.remove (permission, permission, ...) #删除权限
User.user_permissions.clear () #清空权限
# Note: The above permission is an instance of the Django.contrib.auth.Permission type

4, User Permission Management (ii)

Check user permissions with the Has_perm () method:

The parameters of the Has_perm () method, which is the codename of the permission, need to be prefixed with the app to which the model belongs, regardless of whether the permission is assigned to the user or the Group,has_perm () method

List all permissions for a user

List permissions for the group to which the user belongs

Group Permission Management

The group permission management logic is consistent with user permission management, and the group uses the permissions field for Rights Management:
Group.permissions = [Permission_list]
Group.permissions.add (permission, permission, ...)
Group.permissions.remove (permission, permission, ...)
Group.permissions.clear ()

Permission Validation (i)

在视图中验证权限--permission_required

When a permission check is involved in the business logic, decorator is able to separate permissions validation and core business logic, making the code more concise and logically clearer. The decorator of permission is permission_required

Permission Validation (ii)

Validating in Class View

Permission Validation (iii)

 views 中验证

Permission Validation (iv)

Template 中的权限检查

Extended reading:

using the Django authentication system: HTTP://PYTHON.USYIYI.CN/TRANSLATE/DJANGO_182/TOPICS/AUTH/DEFAULT.HTML

QQ Group: 238757010

[Python Learning] Django Permissions Control