etoai/dvlyadmin_pro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dvlyadmin_pro/backend/utils/permission.py

74 lines
2.7 KiB
Python
Raw Permalink Blame History

# -*- coding: utf-8 -*-
"""
@Remark: 自定义权限
"""
import re
from rest_framework.permissions import BasePermission
from config import IS_DEMO
def ValidationApi(reqApi, validApi):
"""
验证当前用户是否有接口权限
:param reqApi: 当前请求的接口
:param validApi: 用于验证的接口
:return: True或者False
"""
if validApi is not None:
valid_api = validApi.replace('{id}', '.*?')
matchObj = re.match(valid_api, reqApi, re.M | re.I)
if matchObj:
return True
else:
return False
else:
return False
class CustomPermission(BasePermission):
"""自定义权限"""
def has_permission(self, request, view):
# 演示模式接口白名单(演示模式不做控制)
# 演示模式判断
api = request.path
method = request.method # 当前请求方法
demo_api_white_list = ['/api/lyformbuilder/lyformbuilder/previewcodejson/','/api/mall/goodsspu/export/']
if IS_DEMO and not api in demo_api_white_list:
if not method in ['GET', 'OPTIONS']:
if method == "POST" and api in ["/api/system/fileManage/"]:
action = request.data.get("action","")
if action in ["list_dir"]:
return True
raise ValueError('演示模式,不允许操作!')
# 对ViewSet下的def方法进行权限判断
# 当权限为空时,则可以访问
is_head = getattr(view, 'head', None)
if is_head:
head_kwargs = getattr(view.head, 'kwargs', None)
if head_kwargs:
_permission_classes = getattr(head_kwargs, 'permission_classes', None)
if _permission_classes is None:
return True
# 判断是否是超级管理员
if request.user.is_superuser:
return True
else:
# api = request.path # 当前请求接口
# method = request.method # 当前请求方法
methodList = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH']
method = methodList.index(method)
if not hasattr(request.user, "role"):
return False
userApiList = request.user.role.values('permission__api', 'permission__method') # 获取当前用户的角色拥有的所有接口
for item in userApiList:
valid = ValidationApi(api, item.get('permission__api'))
if valid and (method == item.get('permission__method')):
return True
return False
Reference in New Issue View Git Blame Copy Permalink