背景介紹
python3環境,前後端不分離,前端使用bootstrap2框架,後端使用django2.0框架,只是個人日常記錄,僅供參考
目的
RBAC權限訪問限制,有權限訪問,無權限禁止訪問
實現思路
請求接口前從session中獲取用戶的訪問權限,判斷請求方式及請求地址是否在權限範圍中,掃描權限白名單,判斷是否可以請求
後端實現代碼
from django.conf import settings
from django.shortcuts import HttpResponse, redirect
import re
class MiddlewareMixin(object):
def __init__(self, get_response=None):
self.get_response = get_response
super(MiddlewareMixin, self).__init__()
def __call__(self, request):
response = None
if hasattr(self, 'process_request'):
response = self.process_request(request)
if not response:
response = self.get_response(request)
if hasattr(self, 'process_response'):
response = self.process_response(request, response)
return response
class RbacMiddleware(MiddlewareMixin):
"""
檢查用戶的url請求是否是其權限範圍內
"""
def process_request(self, request):
request_url = request.path_info
method = request.method
permission_url = request.session.get(settings.SESSION_PERMISSION_REQUEST_KEY)
print('訪問url', method, request_url)
print('權限--', permission_url)
# 如果請求url在白名單,放行
for url in settings.SAFE_URL:
if re.match(url, request_url):
print('白名單通過')
return None
# 如果未取到permission_url, 重定向至登錄
# Login必須設置白名單
if not permission_url:
return redirect(settings.LOGIN_URL)
# 循環permission_url,作爲正則,匹配用戶request_url
# 正則應該進行一些限定,以處理:/user/ -- /user/add/匹配成功的情況
flag = False
url_list = []
for request in permission_url:
url = request.get('request_url')
url_list.append(url)
request_method = request.get('request_method')
url_pattern = settings.REGEX_URL.format(url=request_url)
if re.match(url_pattern, url) and method == request_method:
flag = True
break
if flag:
print('可以訪問')
return None
else:
print('不可訪問')
# 如果是調試模式,顯示可訪問url
if settings.DEBUG:
info = '<br/>' + ('<br/>'.join(url_list))
return HttpResponse('無權限,請嘗試訪問以下地址:%s' % info)
else:
return HttpResponse('無權限訪問')