# -*- coding: utf-8 -*- """ @Remark: 自定义权限 """ import re from rest_framework.permissions import BasePermission from config import IS_DEMO def ValidationApi(reqApi, validApi): """ 验证当前用户是否有接口权限 :param reqApi: 当前请求的接口 :param validApi: 用于验证的接口 :return: True或者False """ if validApi is not None: valid_api = validApi.replace('{id}', '.*?') matchObj = re.match(valid_api, reqApi, re.M | re.I) if matchObj: return True else: return False else: return False class CustomPermission(BasePermission): """自定义权限""" def has_permission(self, request, view): # 演示模式接口白名单(演示模式不做控制) # 演示模式判断 demo_api_white_list = ['/api/lyformbuilder/lyformbuilder/previewcodejson/','/api/mall/goodsspu/export/'] if IS_DEMO and not request.path in demo_api_white_list: if not request.method in ['GET', 'OPTIONS']: raise ValueError('演示模式,不允许操作!') # 对ViewSet下的def方法进行权限判断 # 当权限为空时,则可以访问 is_head = getattr(view, 'head', None) if is_head: head_kwargs = getattr(view.head, 'kwargs', None) if head_kwargs: _permission_classes = getattr(head_kwargs, 'permission_classes', None) if _permission_classes is None: return True # 判断是否是超级管理员 if request.user.is_superuser: return True else: api = request.path # 当前请求接口 method = request.method # 当前请求方法 methodList = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'] method = methodList.index(method) if not hasattr(request.user, "role"): return False userApiList = request.user.role.values('permission__api', 'permission__method') # 获取当前用户的角色拥有的所有接口 for item in userApiList: valid = ValidationApi(api, item.get('permission__api')) if valid and (method == item.get('permission__method')): return True return False