第十三章、用戶自定義認證

13.1.用戶自定義認證

• class Meta:

? ? 　　? ? ? ?abstract = True? ?(不會創建表，只把字段繼承給子類)

• django加密方式：md5 +? 鹽
• account

? ? ? ? ? ? ? ? ? LADP:輕量級目錄賬號管理協議（集中賬號管理）：通過網絡到LDAP服務器上進行驗證

• SSO：Single Sign on （單點登錄）

?

（1）settings.py

AUTH_USER_MODEL = 'crm.UserProfile'

（2）crm/models.py

class UserProfileManager(BaseUserManager):def create_user(self, email, name, password=None):"""Creates and saves a User with the given email, date ofbirth and password."""if not email:raise ValueError('Users must have an email address')user = self.model(email=self.normalize_email(email),name=name,)user.set_password(password)user.save(using=self._db)return userdef create_superuser(self, email, name, password):"""Creates and saves a superuser with the given email, date ofbirth and password."""user = self.create_user(email,password=password,name=name,)user.is_admin = Trueuser.save(using=self._db)return userclass UserProfile(AbstractBaseUser,PermissionsMixin):email = models.EmailField(verbose_name='email address',max_length=255,unique=True,)name = models.CharField(max_length=64)role = models.ManyToManyField(Role, blank=True, null=True)is_active = models.BooleanField(default=True)is_admin = models.BooleanField(default=False)is_staff = models.BooleanField(default=False)#創建用戶和超級用戶，關聯上面的objects = UserProfileManager()USERNAME_FIELD = 'email'#必須要有的字段REQUIRED_FIELDS = ['name']def __str__(self):return self.emaildef has_perm(self, perm, obj=None):"Does the user have a specific permission?"# Simplest possible answer: Yes, alwaysreturn Truedef has_module_perms(self, app_label):"Does the user have permissions to view the app `app_label`?"# Simplest possible answer: Yes, alwaysreturn Truedef get_full_name(self):# The user is identified by their email addressreturn self.emaildef get_short_name(self):# The user is identified by their email addressreturn self.email@propertydef is_staff(self):"Is the user a member of staff?"# Simplest possible answer: All admins are staffreturn self.is_admin

?

（3）crm/admin.py

from django import forms from django.contrib import admin from django.contrib.auth.models import Group from django.contrib.auth.admin import UserAdmin as BaseUserAdmin from django.contrib.auth.forms import ReadOnlyPasswordHashFieldfrom crm.models import UserProfileclass UserCreationForm(forms.ModelForm):"""A form for creating new users. Includes all the requiredfields, plus a repeated password."""password1 = forms.CharField(label='Password', widget=forms.PasswordInput)password2 = forms.CharField(label='Password confirmation', widget=forms.PasswordInput)class Meta:model = UserProfilefields = ('email', 'name')#進行驗證def clean_password2(self):# Check that the two password entries matchpassword1 = self.cleaned_data.get("password1")password2 = self.cleaned_data.get("password2")if password1 and password2 and password1 != password2:raise forms.ValidationError("Passwords don't match")return password2def save(self, commit=True):# Save the provided password in hashed format#繼承基類的save()user = super(UserCreationForm, self).save(commit=False)#把明文密碼改成密文user.set_password(self.cleaned_data["password1"])if commit:user.save()return userclass UserChangeForm(forms.ModelForm):"""A form for updating users. Includes all the fields onthe user, but replaces the password field with admin'spassword hash display field."""#把密碼改成哈希的了password = ReadOnlyPasswordHashField()class Meta:model = UserProfilefields = ('email', 'password', 'name', 'is_active', 'is_superuser')def clean_password(self):# Regardless of what the user provides, return the initial value.# This is done here, rather than on the field, because the# field does not have access to the initial valuereturn self.initial["password"]class UserProfileAdmin(BaseUserAdmin):# The forms to add and change user instancesform = UserChangeFormadd_form = UserCreationForm# The fields to be used in displaying the User model.# These override the definitions on the base UserAdmin# that reference specific fields on auth.User.list_display = ('email', 'name','is_superuser')list_filter = ('is_superuser',)fieldsets = ((None, {'fields': ('email', 'password')}),('Personal info', {'fields': ('name',)}),('Permissions', {'fields': ('is_staff','is_active','role','user_permissions','groups','is_superuser')}),)# add_fieldsets is not a standard ModelAdmin attribute. UserAdmin# overrides get_fieldsets to use this attribute when creating a user.add_fieldsets = ((None, {'classes': ('wide',),'fields': ('email', 'name', 'password1', 'password2')}),)search_fields = ('email',)ordering = ('email',)filter_horizontal = ('role','user_permissions','groups')# Now register the new UserProfileAdmin... admin.site.register(UserProfile, UserProfileAdmin) # ... and, since we're not using Django's built-in permissions, # unregister the Group model from admin. # admin.site.unregister(Group)

?

第十四章、萬能通用權限框架設計

14.1.萬能通用權限框架設計

（1）kingadmin/permission_list.py

所有權限列表

# kingamdin/permission.py perm_dic = {# 'crm_table_index': ['table_index', 'GET', [], {}, ], # 可以查看CRM APP里所有數據庫表'crm_table_list': ['table_obj_list', 'GET', [], {}], # 可以查看每張表里所有的數據# 'crm_table_list': ['table_obj_list', 'GET', [], {'source':0,'status':0}], # 添加參數：只能訪問來源是qq和未報名的客戶'crm_table_list_view': ['table_obj_change', 'GET', [], {}], # 可以訪問表里每條數據的修改頁'crm_table_list_change': ['table_obj_change', 'POST', [], {}], # 可以對表里的每條數據進行修改'crm_table_list_add_view': ['table_obj_add ', 'GET', [], {}], # 可以訪問數據增加頁'crm_table_list_add': ['table_obj_add ', 'POST', [], {}], # 可以添加表數據 }

value[0]跟kingadmin/url.py里面的url_name一致

?

（2）kingadmin/permissions

# kingadmin/permissions.py# from django.core.urlresolvers import resolve from django.urls import resolve from django.shortcuts import render,redirect,HttpResponse from kingadmin.permission_list import perm_dic from django.conf import settingsdef perm_check(*args,**kwargs):#1.獲取當前請求的url#2.把url解析成url_name（通過resolve）#3.判斷用戶是否已登錄（user.is_authenticated()）#3.拿url_name到permission_dict去匹配，匹配時要包括請求方法和參數#4.拿匹配到可權限key，調用user.has_perm(key)match_results = [None,]request = args[0]resolve_url_obj = resolve(request.path)#通過resolve解析出當前訪問的url_namecurrent_url_name = resolve_url_obj.url_nameprint('---perm:',request.user,request.user.is_authenticated(),current_url_name)#match_flag = Falsematch_key = None#判斷用戶是否登錄if request.user.is_authenticated() is False:return redirect(settings.LOGIN_URL)for permission_key,permission_val in perm_dic.items():#key和value（值有四個參數）: 比如 'crm_table_index': ['table_index', 'GET', [], {}, ]per_url_name = permission_val[0]per_method = permission_val[1]perm_args = permission_val[2]perm_kwargs = permission_val[3]#如果當前訪問的url_name匹配上了權限里面定義的url_nameif per_url_name == current_url_name:#url_name匹配上，接著匹配方法（post,get....）if per_method == request.method:# if not perm_args: #if no args defined in perm dic, then set this request to passed perm#逐個匹配參數，看每個參數是否都能對應的上。args_matched = False #for args onlyfor item in perm_args:#通過反射獲取到request.xxx函數 這里request_methon_func = request.GET/request.POSTrequest_method_func = getattr(request,per_method)if request_method_func.get(item,None): # request字典中有此參數args_matched = Trueelse:print("arg not match......")args_matched = Falsebreak # 有一個參數不能匹配成功，則判定為假，退出該循環。因為可能有很多參數，必須所有參數都一樣才匹配成功else: # perm_dic里面的參數可能定義的就是空的，就走這里args_matched = True#匹配有特定值的參數kwargs_matched = Falsefor k,v in perm_kwargs.items():request_method_func = getattr(request, per_method)arg_val = request_method_func.get(k, None) # request字典中有此參數print("perm kwargs check:",arg_val,type(arg_val),v,type(v))if arg_val == str(v): #匹配上了特定的參數 及對應的 參數值， 比如，需要request 對象里必須有一個叫 user_id=3的參數kwargs_matched = Trueelse:kwargs_matched = Falsebreak # 有一個參數不能匹配成功，則判定為假，退出該循環。else:kwargs_matched = Truematch_results = [args_matched,kwargs_matched]print("--->match_results ", match_results)#列表里面的元素都為真if all(match_results): #都匹配上了match_key = permission_keybreakif all(match_results):#主要是獲取到app_nameapp_name, *per_name = match_key.split('_')print("--->matched ",match_results,match_key)print(app_name, *per_name)#per_obj = 例如：crm.crm_obj_listperm_obj = '%s.%s' % (app_name,match_key)print("perm str:",perm_obj)if request.user.has_perm(perm_obj):print('當前用戶有此權限')return Trueelse:print('當前用戶沒有該權限')return Falseelse:print("未匹配到權限項，當前用戶無權限")def check_permission(func):def inner(*args,**kwargs):if not perm_check(*args,**kwargs):request = args[0]return render(request,'kingadmin/page_403.html')return func(*args,**kwargs)return inner

?獲取到表的名字的時候用到了 *per_name和split，具體用法解釋：

?

?

?

?

?

（3）page_403.html

{#kingadmin/templates/kingamdin/page_403.html#}{% extends 'kingadmin/base.html' %}{% block body %} <div class="row col-lg-offset-2"><h1 style="font-size: 200px;">403</h1><h4>You have no permission to access this page</h4> </div>{% endblock %}

?

（4）crm/models.py

Meta里面加入權限

class UserProfile(AbstractBaseUser,PermissionsMixin):email = models.EmailField(verbose_name='email address',max_length=255,unique=True,)name = models.CharField(max_length=64)role = models.ManyToManyField(Role, blank=True, null=True)is_active = models.BooleanField(default=True)is_admin = models.BooleanField(default=False)is_staff = models.BooleanField(default=True)#創建用戶和超級用戶，關聯上面的objects = UserProfileManager()USERNAME_FIELD = 'email'#必須要有的字段REQUIRED_FIELDS = ['name']def __str__(self):return self.email# def has_perm(self, perm, obj=None):# "Does the user have a specific permission?"# # Simplest possible answer: Yes, always# return True# # def has_module_perms(self, app_label):# "Does the user have permissions to view the app `app_label`?"# # Simplest possible answer: Yes, always# return Truedef get_full_name(self):# The user is identified by their email addressreturn self.emaildef get_short_name(self):# The user is identified by their email addressreturn self.email# @property# def is_staff(self):# "Is the user a member of staff?"# # Simplest possible answer: All admins are staff# return self.is_adminclass Meta:permissions = (('crm_table_list','可以查看每張表里所有的數據'),('crm_table_list_view','可以訪問表里每條數據的修改頁'),('crm_table_list_change','可以對表里的每條數據進行修改'),('crm_table_list_add_view','可以訪問數據增加頁'),('crm_table_list_add','可以添加表數據'),)

?

?

?

（5）kingadmin/views.py加裝飾器

?

（6）admin后臺管理權限

現在訪問客戶列表（還有增加修改頁面）是沒有權限的

?

必須在后臺賦予權限才可以

?

?再訪問就可以了

?

14.2.自定義權限鉤子實現

?

只允許用戶訪問自己創建的數據，比如只允許銷售訪問自己創建的客戶：

（1）kingadmin/permission_list.py

'crm_table_list': ['table_obj_list', 'GET', [], {},permission_hook.view_my_own_customers],

?

?（2）kingadmin/permission_hook.py

# kingadmin/permission_hook.pydef view_my_own_customers(request):#當前登錄的用戶id 等于客戶的顧問的id（銷售創建客戶的時候，顧問就是銷售自己）#實現銷售只能看自己的客戶功能if str(request.user.id) == request.GET.get('consultant'):return Trueelse:return False

?

?（3）kingadmin/permissions.py

?

?現在銷售就只能看到自己創建的客戶了

?

?

?

這樣，萬通通用的權限框架就開發完畢了，權限的控制可大可小，而且想要移植到其它django項目時， 唯一需要改的，就是配置好perm_dic里的權限條目！

?

轉載于:https://www.cnblogs.com/derek1184405959/p/8995191.html

總結

以上是生活随笔為你收集整理的CRM客户关系管理系统（十三）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。