When creating a Models, in the synchronization to the database, django default set up three permissions, that is, add, change, delete permissions. But often sometimes, simply not enough, at this time we can write a script to set the permissions.
According to DJango's official documentation, permissions are related to models, in this case. If you want to set up a view that allows users with permissions and restricts users without permissions. Then we can start to write this requirement.
There are two general methods for verifying permissions,One type is made of@permission_requiredto validate,The second one is made ofuser.has_perm() in the function to validate, through the return of True or False to the next step
Meanwhile, mine is a little more complex, adding third-party authentication oauth2 to django and restricting cross-domain access to resources. See my previous post.
The specific steps are as follows:
Step one:
Set the scope of cross-domain access to resources as follows.
CORS_URLS_REGEX = r'^/(o|api/oauth/).*$'
#Only allow cross-domain access url for /o/.... or /api/oauth/... The resources of the
Step two:
Write a permission script, or you create a model, and then migrate to get the three permissions provided by django by default, of course, this is too cumbersome and single, you can also customize the permission, in the model you created to add Meta class, and then create your custom permission. Here's how it works.
class **Model():
....
class Meta:
permissions = (
(can_read'', 'ferret out'),
(can_delete'', 'removing'),
)
Or, you can write your own file to create the permission. Here, my requirement is to restrict access to resources based on the user, so I set the permission directly on the User, as follows.
from import Permission, User from import ContentType def run(codename, name): content_type = .get_for_model(User) permission = .get_or_create(codename=codename, name=name, content_type=content_type) return permission
Running run creates a permission with the specified codename, which is tied to the user.
Step Three:
validation of permissions, the most important there are two ways to use the decorator method, or in the function with has_perm/has_perms, I'm here to use the decorator method, of course. At first I wrote a validation decorator by hand, but later found that django has its own, but also better to use, directly in the views function money @permission_required(perms) can be.
Because here I use django's view function, can not directly in front of the function add @permission_required(perms), you need to use the following method, you can change the function decorator to a method or class decorator method, django comes with @method_decorator(decorator), the function decorator can be changed to a method or class decorator method, django comes with a @method_decorator(decorator), the method decorator is not required.
The usage is as follows
class LimitView(ProtectedResourceView):
@method_decorator(permission_required(per_list[0]))
def get(self, request):
....
LimitView is my own view function, inherited from oauth's ProtectedResourceView, which protects the view function from being viewed by authorized users. The permission_required parameter is the permissions the user needs to have, if they have them, they can access them normally, otherwise they will be redirected to the login page, or you can specify the redirection page yourself here. or you can specify your own redirection page here.
Note that @permission_required(perms) requires a field, otherwise it will report an error. The reason I can access the authorization without logging in is because I'm using the user's allowed authorization code to access it, which will directly set the user field in the request to the user corresponding to the access_token.
Additional knowledge:django Verify if a user has permissions
views to determine if you have permissions:
{% if .has_perm('app.permission name')%}
……
{%endif%}
The html determines whether a control is displayed or not based on permissions:
{% if %}
{% endif%}
Remember: to html variables in effect, you must pass in RequestContext, in must be render(request, ''',{}), this problem tangled for a long time.
Refer to the django documentation:/en/2.1/topics/auth/default/#permissions
Above this Django permission settings and validation methods is all I have to share with you, I hope to give you a reference, and I hope you support me more.