Django使用者認證系統(三)組與許可權

Django的許可權系統很簡單，它可以賦予users或groups中的users以許可權。

Django admin後台就使用了該許可權系統，不過也可以用到你自己的代碼中。

User對象具有兩個ManyToManyField欄位，groups和user_permissions

groups = models.ManyToManyField(Group, verbose_name=_('groups'),
blank=True, help_text=_('The groups this user belongs to. A user will '
'get all permissions granted to each of '
'their groups.'),
related_name="user_set", related_query_name="user")
user_permissions = models.ManyToManyField(Permission,
verbose_name=_('user permissions'), blank=True,
help_text=_('Specific permissions for this user.'),
related_name="user_set", related_query_name="user")

可以像其它的django Model一樣來訪問他們：

myuser.groups = [group_list]
myuser.groups.add(group, group, ...)
myuser.groups.remove(group, group, ...)
myuser.groups.clear()
myuser.user_permissions = [permission_list]
myuser.user_permissions.add(permission, permission, ...)
myuser.user_permissions.remove(permission, permission, ...)
myuser.user_permissions.clear()

許可權Permissions

許可權是作為一個Model存在的，建立一個許可權就是建立一個Permission Model的執行個體。

@python_2_unicode_compatible
class Permission(models.Model):
"""
The permissions system PRovides a way to assign permissions to specific
users and groups of users.

The permission system is used by the Django admin site, but may also be
useful in your own code. The Django admin site uses permissions as follows:

- The "add" permission limits the user's ability to view the "add" form
and add an object.
- The "change" permission limits a user's ability to view the change
list, view the "change" form and change an object.
- The "delete" permission limits the ability to delete an object.

Permissions are set globally per type of object, not per specific object
instance. It is possible to say "Mary may change news stories," but it's
not currently possible to say "Mary may change news stories, but only the
ones she created herself" or "Mary may only change news stories that have a
certain status or publication date."

Three basic permissions -- add, change and delete -- are automatically
created for each Django model.
"""
name = models.CharField(_('name'), max_length=255)
content_type = models.ForeignKey(ContentType)
codename = models.CharField(_('codename'), max_length=100)
objects = PermissionManager()

class Meta:
verbose_name = _('permission')
verbose_name_plural = _('permissions')
unique_together = (('content_type', 'codename'),)
ordering = ('content_type__app_label', 'content_type__model',
'codename')

def __str__(self):
return "%s | %s | %s" % (
six.text_type(self.content_type.app_label),
six.text_type(self.content_type),
six.text_type(self.name))

def natural_key(self):
return (self.codename,) + self.content_type.natural_key()
natural_key.dependencies = ['contenttypes.contenttype']

欄位fields

name：必需。50個字元或更少，例如，’Can Vote‘

content_type：必需，一個對於django_content_type資料庫table的引用，table中含有每個應用中的Model的記錄。

codename：必需，100個字元或更少，例如，'can_vote'。

如果要為某個Model建立許可權：

from django.db import models

class Vote(models.Model):
...

class Meta:
permissions = (("can_vote", "Can Vote"),)

如果這個Model在應用foo中，則許可權表示為'foo.can_vote',檢查某個使用者是否具有許可權myuser.has_perm('foo.can_vote')

預設許可權default permissions

如果已經在 INSTALLED_APPS配置了django.contrib.auth，它會保證為installed applications中的每個Django Model建立3個預設許可權：add, change 和 delete。

這些許可權會在你第一次運行 manage.py migrate(1.7之前為syncdb) 時建立。當時所有的models都會建立許可權。在這之後建立的新models會在再次運行 manage.py migrate時建立這些預設許可權。這些許可權與admin管理介面中的建立，刪除，修改行為是一一對應的。

假設你有一個應用 foo ，其中有一個模型 Bar, 你可以用下述方法來測試基本許可權：

add: user.has_perm('foo.add_bar')
change: user.has_perm('foo.change_bar')
delete: user.has_perm('foo.delete_bar')
許可權模型（ Permission model）一般不直接使用。

組Groups

組也是作為Model存在的：

@python_2_unicode_compatible
class Group(models.Model):
"""
Groups are a generic way of categorizing users to apply permissions, or
some other label, to those users. A user can belong to any number of
groups.

A user in a group automatically has all the permissions granted to that
group. For example, if the group Site editors has the permission
can_edit_home_page, any user in that group will have that permission.

Beyond permissions, groups are a convenient way to categorize users to
apply some label, or extended functionality, to them. For example, you
could create a group 'Special users', and you could write code that would
do special things to those users -- such as giving them access to a
members-only portion of your site, or sending them members-only email
messages.
"""
name = models.CharField(_('name'), max_length=80, unique=True)
permissions = models.ManyToManyField(Permission,
verbose_name=_('permissions'), blank=True)

objects = GroupManager()

class Meta:
verbose_name = _('group')
verbose_name_plural = _('groups')

def __str__(self):
return self.name

def natural_key(self):
return (self.name,)

欄位fields：

name：必需，80個字元或更少，例如， 'Awesome Users'。

permissions：ManyToManyField to Permission

group.permissions = [permission_list]
group.permissions.add(permission, permission, ...)
group.permissions.remove(permission, permission, ...)
group.permissions.clear()

Programmatically creating permissions

除了可以使用Model meta來建立許可權，也可以直接用代碼建立。

例如，為myapp應用中的BlogPost模型建立一個can_publish許可權：

from myapp.models import BlogPost
from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType

content_type = ContentType.objects.get_for_model(BlogPost)
permission = Permission.objects.create(codename='can_publish',
name='Can Publish Posts',
content_type=content_type)

許可權可以被賦予一個User對象通過它的user_permissions屬性或者賦予一個Group通過它的permissions屬性。

許可權緩衝

User的許可權檢查時是可以被緩衝的，如果一個新許可權被賦予一個User，如果再立即檢查是不會被檢查出來的。最簡單的方法是重新fetch User對象。

from django.contrib.auth.models import Permission, User
from django.shortcuts import get_object_or_404

def user_gains_perms(request, user_id):
user = get_object_or_404(User, pk=user_id)
#許可權檢查會緩衝現在的許可權集
user.has_perm('myapp.change_bar')

permission = Permission.objects.get(codename='change_bar')
user.user_permissions.add(permission)

# 檢查許可權緩衝集
user.has_perm('myapp.change_bar') # False

# 請求新執行個體
user = get_object_or_404(User, pk=user_id)

# Permission cache is repopulated from the database
user.has_perm('myapp.change_bar') # True

...

許可權裝飾器

permission_required(perm[, login_url=None, raise_exception=False])

檢查使用者是否具有某個許可權，類似於@login_required()

from django.contrib.auth.decorators import permission_required

@permission_required('polls.can_vote', login_url='/loginpage/')
def my_view(request):
...

模板中的許可權

user的的許可權儲存在模板變數 {{ perms }}中，是django.contrib.auth.context_processors.PermWrapper執行個體。

{{ perms.foo }}

上面的單屬性是User.has_module_perms的代理。如果user擁有foo中的任一許可權，則為True

{{ perms.foo.can_vote }}

上面的兩級屬性查詢是User.has_perm的代理，如果使用者擁有foo.can_vote許可權則為True。

例如：

{% if perms.foo %}
<p>You have permission to do something in the foo app.</p>
{% if perms.foo.can_vote %}
<p>You can vote!</p>
{% endif %}
{% if perms.foo.can_drive %}
<p>You can drive!</p>
{% endif %}
{% else %}
<p>You don't have permission to do anything in the foo app.</p>
{% endif %}

或者：

{% if 'foo' in perms %}
{% if 'foo.can_vote' in perms %}
<p>In lookup works, too.</p>
{% endif %}

以上就是Django使用者認證系統(三)組與許可權的內容，更多相關內容請關注topic.alibabacloud.com（www.php.cn）！

