Django中基于类的视图的身份验证

时间:2018-07-11 11:39:24

标签: django django-class-based-views 

class AdminView(generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

我在django中创建了两个视图,我希望仅当管理员/工作人员登录时才能访问它们。我该怎么办?

5 个答案:

答案 0 :(得分:2)

您可以使用UserPassesTestMixin

from django.contrib.auth.mixins import UserPassesTestMixin

class AdminView(UserPassesTestMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

    def test_func(self):
        return self.request.user.is_staff or self.request.user.is_superuser

答案 1 :(得分:2)

您可以使用UserPassesTestMixin [Django-doc]LoginRequiredMixin [Django-doc]混合,并指定用户应为is_superuser的条件。由于您需要两次,所以我们可以先制作一个复合mixin:

from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin

class AdminStaffRequiredMixin(LoginRequiredMixin, UserPassesTestMixin):

    def test_func(self):
        return self.request.user.is_superuser or self.request.user.is_staff

接下来,您可以将mixin添加到基于类的视图中

class AdminView(AdminStaffRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(AdminStaffRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

答案 2 :(得分:0)

使用装饰器,需要@login_require,您可以告诉此视图仅在用户os登录后才​​可以访问,您也可以向其传递参数,也可以创建自己的参数来验证请求中登录用户是否可以看到您的视图。查看

需要登录

from django.contrib.auth.decorators import login_required

@login_required(login_url='/accounts/login/')
class AdminView(generic.ListView):
    ...

@login_required(login_url='/accounts/login/')
class AdminUpdateView(UpdateView):
    ...

https://docs.djangoproject.com/en/2.0/topics/auth/default/#the-login-required-decorator

获得许可

from django.contrib.auth.decorators import permission_required

@permission_required('user.is_staff')
def my_view(request):
    ...

https://docs.djangoproject.com/en/2.0/topics/auth/default/#the-permission-required-decorator

答案 3 :(得分:0)

如果要使用LoginRequiredMixin,仍然可以。而且要简单得多。只需在您所有的类中扩展LoginRequiredMixin,使它们像这样。

class AdminView(LoginRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

class AdminUpdateView(LoginRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

这确保在允许任何操作之前,用户已经登录。然后,通过将以下代码添加到每个类中,检查用户是否为管理员; 

def dispatch(self, request, *args, **kwargs):
    if not self.request.user.is_staff:
        raise PermissionDenied
    return super().dispatch(request, *args, **kwargs)

您的代码现在应如下所示:

class AdminView(LoginRequiredMixin, generic.ListView):
    model = get_user_model()
    fields = ['first_name', 'username', 'is_active']
    template_name = 'users/admin.html'

    def dispatch(self, request, *args, **kwargs):
        if not self.request.user.is_staff:
            raise PermissionDenied
        return super().dispatch(request, *args, **kwargs)

class AdminUpdateView(LoginRequiredMixin, UpdateView):
    model = get_user_model()
    fields = ['is_active']
    template_name = 'users/user_update.html'
    success_url = reverse_lazy('users:admin')

    def dispatch(self, request, *args, **kwargs):
        if not self.request.user.is_staff:
            raise PermissionDenied
        return super().dispatch(request, *args, **kwargs)

答案 4 :(得分:0)

您可以通过rest框架使用IsAdminUser权限

from rest_framework import permissions

class AdminView(generic.ListView):
    permission_classes = (permissions.IsAdminUser, )
    ...
相关问题
最新问题