[英]How to restrict access for staff users to see only their information in Django admin page?
我創建了一個自定義 Django 管理頁面。 我有兩種類型的用戶可以訪問管理頁面(員工用戶和超級用戶)。 超級用戶可以查看所有用戶並可以更改他們的設置。 他還可以添加或刪除用戶。 員工用戶只能看到他們的設置並且可以更改其中的一些。 我目前有一個問題,員工用戶可以看到 web 應用程序的所有用戶並且可以添加或刪除他們。 我限制員工用戶查看某些設置,但無法更改。
我不知道如何限制員工用戶只能看到他們的設置。
這是我的代碼:Admin.py
from django.contrib import admin
from django.contrib.auth import get_user_model
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from .forms import UserAdminChangeForm, UserAdminCreationForm
from .models import UpLoadFile
User = get_user_model()
admin.site.site_header = 'SRC Orkestracija'
admin.site.index_title = 'Administration'
admin.site.register(UpLoadFile)
class UserAdmin(BaseUserAdmin):
# The forms to add and change user instances
form = UserAdminChangeForm
add_form = UserAdminCreationForm
# The fields to be used in displaying the User model.
# These override the definitions on the base UserAdmin
# that reference specific fields on auth.User.
list_display = ('username', 'superuser', 'active', 'staff')
list_filter = ('superuser', 'active', 'staff')
readonly_fields = [
'last_login'
]
actions = [
'activate_users',
]
filter_horizontal = ('user_permissions', 'groups')
fieldsets = (
(None, {'fields': ('username', 'password', 'config_file')}),
('Permissions', {'fields': ('superuser', 'active', 'staff', 'groups', 'user_permissions')}),
('Important dates', {'fields': ('last_login',)}),
)
# add_fieldsets is not a standard ModelAdmin attribute. UserAdmin
# overrides get_fieldsets to use this attribute when creating a user.
add_fieldsets = (
(None, {
'classes': ('wide',),
'fields': ('username', 'password1', 'password2', 'config_file')}
),
)
search_fields = ('username',)
ordering = ('username',)
def get_form(self, request, obj=None, **kwargs):
form = super().get_form(request, obj, **kwargs)
is_superuser = request.user.is_superuser
disabled_fields = set()
if not is_superuser:
disabled_fields |= {
'username',
'active',
'superuser',
'staff',
'groups',
'user_permissions'
}
if (
not is_superuser
and obj is not None
and obj == request.user
):
disabled_fields |= {
'username',
'active',
'superuser',
'staff',
'groups',
'user_permissions'
}
for f in disabled_fields:
if f in form.base_fields:
form.base_fields[f].disabled = True
return form
def activate_users(self, request, queryset):
is_superuser = request.user.is_superuser
if is_superuser:
cnt = queryset.filter(active=False).update(active=True)
self.message_user(request, 'Activated {} users.'.format(cnt))
activate_users.short_description = 'Activate Users'
admin.site.register(User, UserAdmin)
模型.py:
class UserManager(BaseUserManager):
def create_user(self, username, config_file, password=None, is_active=True, is_staff=False, is_superuser=False):
if not username:
raise ValueError("User must have username!")
if not password:
raise ValueError("User must have password!")
if not config_file:
raise ValueError("Select config file!")
user_obj = self.model(
username=username,
)
user_obj.config_file = config_file
user_obj.staff = is_staff
user_obj.superuser = is_superuser
user_obj.active = is_active
user_obj.set_password(password)
user_obj.save(using=self._db)
return user_obj
def create_staffuser(self, username, config_file, password=None):
user = self.create_user(
username=username,
config_file=config_file,
password=password,
is_staff=True
)
return user
def create_superuser(self, username, config_file, password=None):
user = self.create_user(
username=username,
config_file=config_file,
password=password,
is_staff=True,
is_superuser=True
)
return user
class CustomUser(AbstractBaseUser, PermissionsMixin):
class Meta:
verbose_name = "User"
verbose_name_plural = "Users"
OPTIONS = (
('1', '1'),
('2', '2'),
('3', '3'),
('4', '4'),
)
username = models.CharField(unique=True, max_length=255)
active = models.BooleanField(default=True,
help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.')
staff = models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.')
superuser = models.BooleanField(default=False,
help_text='Designates that this user has all permissions without explicitly assigning them.')
config_file = models.CharField(choices=OPTIONS, max_length=255)
USERNAME_FIELD = 'username'
REQUIRED_FIELDS = ['config_file']
object = UserManager()
def __str__(self):
return self.username
def has_perm(self, perm, obj=None):
return True
def has_module_perms(self, app_lable):
return True
@property
def is_staff(self):
return self.staff
@property
def is_superuser(self):
return self.superuser
@property
def is_active(self):
return self.active
def path(user, filename):
return os.path.join(str(user))
我將不勝感激任何幫助或說明如何添加此功能。
您可以將超級用戶設置為僅在管理員 class 中具有添加/刪除權限。
class UserAdmin(BaseUserAdmin):
...
def has_add_permission(self, request, obj=None):
return request.user.is_superuser
def has_delete_permission(self, request, obj=None):
return request.user.is_superuser
請注意,通過不在管理界面中向任何組或用戶授予添加或刪除權限也可以實現上述目的。
以下將僅允許用戶更改所有用戶,如果他們是超級用戶。 否則,他們將只能更改自己的用戶。
def has_change_permission(self, request, obj=None):
return request.user.is_superuser or (obj and obj.id == request.user.id)
如果您希望他們能夠看到只有他們的用戶可見的用戶列表頁面,您可以修改get_queryset
def get_queryset(self, request):
qs = super().get_queryset(request)
user = request.user
return qs if user.is_superuser else qs.filter(id=user.id)
在您的模板中:
{% if request.user.is_superuser %}
<!-- Only superusers can view things in here -->
{% endif %}
在您看來,您還必須控制哪些可以編輯,哪些不能。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.