[英]Restrict (permission) Django staff user from changing certain fields of a model
[英]Django - decorators restrict “staff”
我的目标是限制“员工组”的访问权限,我试图用 decorators.py 来做到这一点,但是当我这样做时,它会限制我注册的每个用户,而不仅仅是员工。 当我使用管理员登录时,它给了我“你没有被授权”,这应该只适用于应该只看到一个平台模板的“员工”。
这里的图片也是我的管理页面。
from django.http import HttpResponse
from django.shortcuts import redirect
def allowed_user(allowed_roles=[]):
def decorator(view_func):
def wrapper_func(request, *args, **kwargs):
group = None
if request.user.groups.exists():
group = request.user.groups.all()
if group in allowed_roles:
return view_func(request, *args, **kwargs)
else:
return HttpResponse(' You are not Authorized!')
return wrapper_func
return decorator
核心/views.py
from django.shortcuts import render, get_object_or_404
from django.contrib.auth.models import User
from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic.list import ListView
from .decorators import allowed_user
# Create your views here.
from quiz.models import Questions
from jobs.models import post_job
@allowed_user(allowed_roles=['Admin, Students'])
def homepage(request):
return render(request, 'core/homepage.html')
@allowed_user(allowed_roles=['Admin, Students'])
def userProfileView(request, username):
user= get_object_or_404(User, username=username)
jobs = post_job.objects.all()
categories = Questions.CAT_CHOICES
scores = []
for category in categories:
score = Questions.objects.filter(category=category[0], student= user).count()
scores.append(score)
context = {
'user' : user, 'categories_scores' : zip( categories,scores),
'jobs': jobs
}
return render(request, 'core/user_profile.html' , context)
class UserList(LoginRequiredMixin, ListView):
model = User
template_name = 'core/users.html'
帐户/views.py
from django.shortcuts import render, HttpResponseRedirect
from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User
from accounts.forms import FormRegistrazione
from .decorators import allowed_user
# Create your views here.
def registrazioneView(request):
if request.method == "POST":
form = FormRegistrazione(request.POST)
if form.is_valid():
username = form.cleaned_data["username"]
email = form.cleaned_data["email"]
password = form.cleaned_data["password1"]
User.objects.create_user(username=username, password=password, email=email)
user = authenticate(username=username, password=password)
login(request, user)
return HttpResponseRedirect("/")
else:
form = FormRegistrazione()
context = {"form": form}
return render(request, 'accounts/registrazione.html', context)
您的allowed_roles
是字符串,因此 allowed_roles 中的group in allowed_roles
将始终为 false。 特别是因为group
是Group
的QuerySet
,所以是一个集合。 该集合可以包含零个、一个或多个组。
您可以使用request.user.groups.filter(name__in=allowed_roles).exists()
检查组是否存在,因此装饰器如下所示:
from functools import wraps
def allowed_user(allowed_roles=()):
def decorator(view_func):
@wraps(view_func)
def wrapper_func(request, *args, **kwargs):
if request.user.groups.filter(name__in=allowed_roles).exists():
return view_func(request, *args, **kwargs)
else:
return HttpResponse('You are not Authorized!')
return wrapper_func
return decorator
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.