在Django中基于角色实现访问控制

huangapple go评论83阅读模式
英文:

Implementing access control in django based on role

问题

我需要在我的Django项目上实施访问控制,有两个主要角色,销售和开发人员。在这两个角色中,还有另一个层次,经理和非经理。根据他们的角色,我想要显示不同的内容并执行不同类型的查询。

我目前使用的方法是扩展我的用户模型以包括这些角色,并在模板内使用if语句来相应地显示功能。

这是我的模型:

class UserProfile(models.Model):
    role = (
        ('sm', '销售经理'),
        ('s', '销售'),
        ('rm', '研发经理'),
        ('r', '研发')
    )
    user = models.OneToOneField(User, on_delete=models.CASCADE)
    user_type = models.TextField(max_length=500, choices=role)
    contact = models.IntegerField(default=92388112)

    def __str__(self):
        return str(self.user.username)

这是我的视图:

@login_required(login_url='login')
def rnd_home(request):
    print(request.user.username)
    context = {
        'userProfile': UserProfile.objects.all(),
    }
    return render(request, 'rnd/home.html', context)

这是模板的相关部分:

{% if user.userprofile.user_type == 's' or user.userprofile.user_type == 'sm' %}
    <p>销售</p>
{% else %}
    <p>研发</p>
{% endif %}

然而,我的for循环不起作用。它不会抛出任何错误,但也不会执行任何操作。当我以'r'类型登录时,屏幕上仍然会显示销售。

如果有人能回答我的问题并提供一些关于如何最好地实施这种访问控制的提示,不仅包括功能,还包括在常见功能中筛选显示的数据,那将很棒。

英文:

I need help in implementing access control on my django project. There are 2 main roles , sales and developer. In these 2 roles , there is another hierarchy , manager and non-manager. Based on their roles , I would want to display different things and do different types of queries.

The method I am using currently using is to extend my user model to include these roles , and using if statements within my template to display the functionalities accordingly.

Here is my model:

class UserProfile(models.Model):
	role = (
		(&#39;sm&#39;,&#39;sales_manager&#39;),
		(&#39;s&#39;,&#39;sales&#39;),
		(&#39;rm&#39;,&#39;rnd_manager&#39;),
		(&#39;r&#39;,&#39;rnd&#39;)
	)
	user = models.OneToOneField(User,on_delete=models.CASCADE)
	user_type = models.TextField(max_length=500, choices= role)
	contact = models.IntegerField(default=92388112)

	def __str__(self):
		return str(self.user.username)

Here is my view:

    @login_required(login_url=&#39;login&#39;)
def rnd/home(request):
	print(request.user.username)
	context = {
	&#39;userProfile&#39; : UserProfile.objects.all(),
	}
	return render(request, &#39;rnd/home.html&#39;,context)

here is a relevant part of my template:

  {%if user.get_UserProfile.user_type == &#39;s&#39; or user.get_UserProfile.user_type == &#39;sm&#39; %}
            &lt;p&gt;Sales&lt;/p&gt;
            {%else%}
            &lt;p&gt;RnD&lt;/p&gt;
            {%endif%}
            &lt;li&gt;

However , my for loop does not work. It does not throw any error , but does nothing as well. When I'm logged in as a 'r' type , sales still gets shown on my screen.

It would be great if someone could answer me as well as leave some tips on the best way to implement such access control, not only in features but also in filtering the data shown in common features.

答案1

得分: 1

我在你的代码中没有看到任何 for 循环。但如果你只想要从 User 中获取 UserProfile,你可以直接从任何一种方式获取一个 OneToOne 模型。在你的情况下,可以使用 user.userProfile.user_type

你可能还想查看 Django 自定义权限

英文:

I don't see any for loop in your code. But if you just want UserProfile from User, you can get a OneToOne model directly from either way. In your case, it would be user.userProfile.user_type.

You might also want to look at Django Custom Permissions

huangapple
  • 本文由 发表于 2020年1月3日 16:02:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/59575061.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定