Django-装饰器限制“人员”

时间:2020-04-25 20:54:58

标签: python django

我的目标是限制我尝试使用decorators.py进行的“工作人员组”的访问,但是当我这样做时,它将限制我注册的每个用户,而不仅限于工作人员。当我使用admin登录时,它会给我“您无权”,该权限只应用于“工作人员”,而该人员只能看到平台的一个模板。

这里也是我管理页面的图片。

users

staff users

users core / decorators.py 

from django.http import HttpResponse
from django.shortcuts import redirect

def allowed_user(allowed_roles=[]):
    def decorator(view_func):
        def wrapper_func(request, *args, **kwargs):

            group = None
            if request.user.groups.exists():
                group = request.user.groups.all()

            if group in allowed_roles:
                return view_func(request, *args, **kwargs)

            else:
                return HttpResponse(' You are not Authorized!')
        return wrapper_func
    return decorator

core / views.py 

from django.shortcuts import render, get_object_or_404
from django.contrib.auth.models import User
from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic.list import ListView
from .decorators import allowed_user

# Create your views here.
from quiz.models import Questions
from jobs.models import post_job




@allowed_user(allowed_roles=['Admin, Students'])
def homepage(request):
    return render(request, 'core/homepage.html')

 @allowed_user(allowed_roles=['Admin, Students'])
def userProfileView(request, username):
    user= get_object_or_404(User, username=username)
    jobs = post_job.objects.all()
    categories = Questions.CAT_CHOICES
    scores = []
    for category in categories:
        score = Questions.objects.filter(category=category[0], student= user).count()
        scores.append(score)

    context = {

    'user' : user, 'categories_scores' : zip( categories,scores),
    'jobs': jobs



    }
    return render(request, 'core/user_profile.html' , context)



class UserList(LoginRequiredMixin, ListView):
    model = User
    template_name = 'core/users.html'

account / views.py 

from django.shortcuts import render, HttpResponseRedirect
from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User
from accounts.forms import FormRegistrazione
from .decorators import allowed_user

# Create your views here.

def registrazioneView(request):
    if request.method == "POST":
        form = FormRegistrazione(request.POST)
        if form.is_valid():
            username = form.cleaned_data["username"]
            email = form.cleaned_data["email"]
            password = form.cleaned_data["password1"]
            User.objects.create_user(username=username, password=password, email=email)
            user = authenticate(username=username, password=password)
            login(request, user)
            return HttpResponseRedirect("/")


    else:
        form = FormRegistrazione()
    context = {"form": form}
    return render(request, 'accounts/registrazione.html', context)

1 个答案:

答案 0 :(得分:4)

您的allowed_roles是字符串,因此group in allowed_roles将始终为false。特别是由于groupQuerySet中的Group,因此是一个集合。该集合可以包含零个,一个或多个组。

您可以使用request.user.groups.filter(name__in=allowed_roles).exists()检查该组是否存在,因此装饰器如下所示:

from functools import wraps

def allowed_user(allowed_roles=()):
    def decorator(view_func):
        @wraps(view_func)
        def wrapper_func(request, *args, **kwargs):
            if request.user.groups.filter(name__in=allowed_roles).exists():
                return view_func(request, *args, **kwargs)
            else:
                return HttpResponse('You are not Authorized!')
        return wrapper_func
    return decorator
相关问题
最新问题