Python Django 装饰器权限控制
原创Python Django 装饰器权限控制
原创
no怕不了木
发布于 2025-02-25 15:01:38
发布于 2025-02-25 15:01:38
代码可运行
运行总次数:0
代码可运行
目前在做AD权限管控,因做之前并没有考虑到这部分,后面需要做,则从头开始做,
AD连接。或者AD用户名和邮箱地址,部门和所在群组,群组是获取的ID,因群组名称可能随着组织架构更改,故获取ID,下面函数传入AD用户和密码,会返回这个用户的user_cn、user_mail、user_dn、groups,注意groups获取是一个列表,存储在数据库中为列表,在后面处理权限时需要将存储的列表进行处理
import requests
from ldap3 import Server, Connection, ALL, SUBTREE, NTLM,BASE
import random
import re
import string
from pyzbar.pyzbar import decode
from PIL import Image
def authenticate_ad(username, password):
server_address = "ldap://192.168.1.2"
domain = "xxx.com"
server = Server(server_address, get_info=ALL)
user = f'{domain}\\{username}'
conn = Connection(server, user=user, password=password, authentication=NTLM)
if conn.bind():
conn.search(search_base='dc=morglory,dc=com',
search_filter=f'(sAMAccountName={username})',
search_scope=SUBTREE,
attributes=['cn', 'mail', 'memberOf',]) # 新增 memberOf 属性
if len(conn.entries) > 0:
user_info = conn.entries[0]
user_dn = user_info.entry_dn
user_cn = user_info.cn.value
user_mail = user_info.mail.value if user_info.mail else 'N/A'
# 新增群组解析逻辑
groups = []
if hasattr(user_info, 'memberOf'):
for group_dn in user_info.memberOf.values:
conn.search(
search_base=group_dn,
search_filter='(objectClass=group)',
search_scope=BASE,
attributes=['objectGUID'] # 修改1:改为获取GUID属性
)
if conn.entries:
group_id = str(conn.entries[0].objectGUID.value).lower() # 修改2:转换GUID格式
groups.append(group_id.replace("{","").replace("}",""))
conn.unbind()
return {
'username': user_cn,
'email': user_mail,
'dp': get_info(user_dn),
'groups': groups # 新增群组字段
}
else:
conn.unbind()
return None
else:
return None数据库:
userlogin为用户登录,在用户登录进行写入
Adgroup:AD中文群组和对应群组ID
Web:URL的name名称和对应的显示中文
WebPermissions:每一个web页面对应的群组,以及权限
class userlogin(models.Model):
username = models.CharField(max_length=25,verbose_name='用戶名')
useremail = models.EmailField(verbose_name='用戶郵箱')
department = models.CharField(max_length=10, verbose_name='部門')
code = models.CharField(max_length=32,verbose_name='登錄識別')
logintime = models.DateTimeField(auto_now_add=True,verbose_name='登錄時間')
ad_groups = models.TextField(verbose_name='Ad群组')
class Adgroup(models.Model):
groupname = models.CharField(max_length=30,verbose_name='AD群组名称',unique=True)
groupid = models.CharField(max_length=128,primary_key=True,verbose_name="AD群组ID")
class Web(models.Model):
webname = models.CharField(max_length=30,verbose_name='urlname',unique=True)
webcname = models.CharField(max_length=30,verbose_name='网页中文名',unique=True)
class WebPermissions(models.Model):
webname = models.ForeignKey("Web",on_delete=models.CASCADE, related_name='permissions')
permissionname = models.ForeignKey('Adgroup',on_delete=models.CASCADE, related_name='permissions')
isTure = models.BooleanField(default=False)为了方便给每一个页面配置权限,则需要些一个装饰器,这样方便扩展,也不用对每一个页面进行权限验证,
from django.shortcuts import render
from django.urls import resolve
# Create your views here.
from IT.models import *
from user.models import *
from django.urls import resolve
from django.http import HttpResponseForbidden, JsonResponse
import ast
def cheackpermission(func):
def wrapper(request,*args, **kwargs):
result = func(request,*args, **kwargs)
# 访问的URL地址
url_name = resolve(request.path_info).url_name
print(url_name)
# 获取用户权限
usercookei = request.COOKIES.get('userid')
# 查询用户群组
userworkid = userlogin.objects.filter(code=usercookei)
if userworkid.exists():
userworkid = userlogin.objects.get(code=usercookei)
res = ast.literal_eval(userworkid.ad_groups)
# print(res)
for i in res:
permissioninfo = WebPermissions.objects.filter(permissionname=i, isTure=True)
if permissioninfo.exists():
return result
else:
continue
return render(request, "nopermission.html", {'userinfo': userworkid})
else:
return render(request, "login.html", )
return wrapper@cheackpermission
def permissions(request):
return render(request,"permission.html")以上就会对页面进行权限验证,如通过则显示,不通过则返回提示无权限页面
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
腾讯云开发者
