背景介绍
python3环境,前后端不分离,前端使用bootstrap2框架,后端使用django2.0框架,只是个人日常记录,仅供参考
目的
RBAC权限访问限制,有权限访问,无权限禁止访问
实现思路
请求接口前从session中获取用户的访问权限,判断请求方式及请求地址是否在权限范围中,扫描权限白名单,判断是否可以请求
后端实现代码
from django.conf import settings
from django.shortcuts import HttpResponse, redirect
import re
class MiddlewareMixin(object):
def __init__(self, get_response=None):
self.get_response = get_response
super(MiddlewareMixin, self).__init__()
def __call__(self, request):
response = None
if hasattr(self, 'process_request'):
response = self.process_request(request)
if not response:
response = self.get_response(request)
if hasattr(self, 'process_response'):
response = self.process_response(request, response)
return response
class RbacMiddleware(MiddlewareMixin):
"""
检查用户的url请求是否是其权限范围内
"""
def process_request(self, request):
request_url = request.path_info
method = request.method
permission_url = request.session.get(settings.SESSION_PERMISSION_REQUEST_KEY)
print('访问url', method, request_url)
print('权限--', permission_url)
# 如果请求url在白名单,放行
for url in settings.SAFE_URL:
if re.match(url, request_url):
print('白名单通过')
return None
# 如果未取到permission_url, 重定向至登录
# Login必须设置白名单
if not permission_url:
return redirect(settings.LOGIN_URL)
# 循环permission_url,作为正则,匹配用户request_url
# 正则应该进行一些限定,以处理:/user/ -- /user/add/匹配成功的情况
flag = False
url_list = []
for request in permission_url:
url = request.get('request_url')
url_list.append(url)
request_method = request.get('request_method')
url_pattern = settings.REGEX_URL.format(url=request_url)
if re.match(url_pattern, url) and method == request_method:
flag = True
break
if flag:
print('可以访问')
return None
else:
print('不可访问')
# 如果是调试模式,显示可访问url
if settings.DEBUG:
info = '<br/>' + ('<br/>'.join(url_list))
return HttpResponse('无权限,请尝试访问以下地址:%s' % info)
else:
return HttpResponse('无权限访问')