为特定用户/组添加对象权限,所有认证用户或匿名用户
项目描述
django-object-permissiono 将对象权限功能应用于Django模型
安装
sudo pip install django-object-permission
或
sudo pip install git+git://github.com/lambdalisue/django-object-permission.git#egg=django-object-permission
使用方法
将‘object_permission’添加到INSTALLED_APPS
将‘object_permission.backends.ObjectPermBackend’添加到AUTHENTICATION_BACKENDS
将‘ophandler.py’添加到您的应用目录中,例如‘admin.py’
编写特定模型的ObjectPermHandler,并将其与模型注册到object_permission.site
有关更多详细信息,请参阅object_permission_test。如果您想查看旧式策略,请参阅README_old.rst或object_permission_test_deprecated
示例迷你博客应用
models.py:
from django.db import models
from django.contrib.auth.models import User
# django-author: useful for adding automatically update author field
from author.decorators import with_author
@with_author
class Entry(models.Model):
PUB_STATES = (
('public', 'public entry'),
('protected', 'login required'),
('private', 'secret entry'),
)
pub_state = models.CharField('publish status', choices=PUB_STATES)
title = models.CharField('title', max_length=140)
body = models.TextField('body')
# ...
ophandler.py:
from object_permission import site
# AuthorObjectPermHandler need 'django-observer' and required 'author'
# field (the author field is automatically added by 'with_author' decorator)
from object_permission.handlers import ObjectPermHandler
from models import Entry
class EntryObjectPermHandler(ObjectPermHandler):
"""ObjectPermHandler for model which has author field
This handler contribute..
1. Manager permission to instance author
2. Viewer permission to authenticated user
3. Viewer permission to anonymous user if reject_anonymous is False
"""
author_field = 'author'
reject_anonymous = False
def get_author(self):
"""get author field value"""
return getattr(self.instance, self.author_field)
def setup(self):
# watch author field
self.watch(self.author_field)
def updated(self, attr):
# Author has full access
self.manager(self.get_author())
# Authenticated user can view
self.viewer(None)
if self.reject_anonymous:
self.reject('anonymous')
else:
self.viewer('anonymous')
# Register to object_permission site like django.contrib.admin
site.register(Entry, EntryObjectPermHandler)
views.py:
from django.views.generic import ListView
from django.views.generic import DetailView
from django.views.generic import CreateView
from django.views.generic import UpdateView
from django.views.generic import DeleteView
from django.core.urlresolvers import reverse
from object_permission.decorators import permission_required
from models import Entry
from forms import EntryForm
class EntryListView(ListView):
model = Entry
class EntryDetailView(DetailView):
model = Entry
slug_field = 'title'
# decorate 'dispatch' method without method_decorator
@permission_required('blog.view_entry')
def dispatch(self, *args, **kwargs):
return super(EntryDetailView, self).dispatch(*args, **kwargs)
# You can use the decorator as View class decorator
# Then automatically decorate 'dispatch' method of the View
@permission_required('blog.add_entry')
class EntryCreateView(CreateView):
form_class = EntryForm
model = Entry
@permission_required('blog.change_entry')
class EntryUpdateView(UpdateView):
form_class = EntryForm
model = Entry
@permission_required('blog.delete_entry')
class EntryDeleteView(DeleteView):
model = Entry
def get_success_url(self):
return reverse('blog-entry-list')
index.html:
{% load object_permission_tags %}
<html>
<head>
<title>django-object-permission example</title>
</head>
<body>
{% pif 'blog.add_entry' of None or 'blog.change_entry' of object or 'blog.delete_entry' of object %}
<!-- displayed only user who has `blog.add_entry` permission,
`blog.change_entry` permision for object or
`blog.delete_entry` permission for object -->
<h2>Toolbox</h2>
{% pif 'blog.add_entry' of object %}
<!-- displayed only user who has `blog.add_entry` permission -->
<a href="{% url 'blog-entry-create' %}">Add New Entry</a>
{% endpif %}
{% pif object and 'blog.change_entry' of object %}
<!-- displayed only user who has `blog.change_entry` permission for object -->
<a href="{% url 'blog-entry-update' object.pk %}">Change this entry</a>
{% endpif %}
{% pif object and 'blog.delete_entry' of object %}
<!-- displayed only user who has `blog.delete_entry` permission for object -->
<a href="{% url 'blog-entry-delete' object.pk %}">Delete this entry</a>
{% endpif%}
{% endpif %}
</body>
</html>
设置
- OBJECT_PERMISSION_EXTRA_DEFAULT_PERMISSIONS
所有模型额外默认权限的列表。Django默认为所有模型贡献‘add’、‘change’和‘delete’权限。
默认: ['view']
- OBJECT_PERMISSION_BUILTIN_TEMPLATETAGS
如果这是True,那么 pif 将是内置的模板标签,这意味着您在使用 pif 标签之前不需要添加 {% load object_permission_tags %}。
默认值: True
- OBJECT_PERMISSION_AUTODISCOVER
启用自动发现功能。对象权限将自动搜索每个应用的 ‘ophandler’(或 OBJECT_PERMISSION_HANDLER_MODULE_NAME)模块并进行加载。
默认值: True
- OBJECT_PERMISSION_HANDLER_MODULE_NAME
用于为每个应用搜索对象权限处理程序模块。
默认值: 'ophandler'
- OBJECT_PERMISSION_DEPRECATED
如果这是True,则加载所有已弃用功能。除非您的项目太大而无法重构,否则不应启用此功能,因为已弃用功能不再受支持且有限。
将在版本0.5中删除
- OBJECT_PERMISSION_MODIFY_FUNCTION(已弃用)
设置对象保存时用于修改对象权限的函数名称。默认值为 modify_object_permission
- OBJECT_PERMISSION_MODIFY_M2M_FUNCTION(已弃用)
设置对象多对多关系更新时用于修改对象权限的函数名称。默认值为 modify_object_permission_m2m
下载文件
下载适合您平台的文件。如果您不确定选择哪个,请了解有关 安装包 的更多信息。
源分布
django-object-permission-0.5.2.tar.gz (38.1 kB 查看散列)
关闭
django-object-permission-0.5.2.tar.gz 的散列
| 算法 | 散列摘要 | |
|---|---|---|
| SHA256 | 0a1b15dc87c6a8455008a5b8a8b8a67bdc785139326d70257894f9ff30668048 |
|
| MD5 | 256745b5a513d455043287dc8ab0f16a |
|
| BLAKE2b-256 | 84f28f81dd2fa11423e18c0df0d05c0a6530ca825d54a98f53c62fafc177dcb5 |
