django PermissionRequiredMixin权限不起作用

时间:2019-03-02 14:30:16

标签: python django permissions mixins user-permissions

Views.py 

class templateList(PermissionRequiredMixin, TemplateView):
    permission_required = 'accounts.template_all'

    def get(self, request, *args, **kwargs):
        #view logic
        print(self.request.user.has_perms('accounts.template_all'))
        return render(request, template_name, context)

accounts / models.py 

class User(AbstractBaseUser, PermissionsMixin):
    # some fields here
    class Meta:
        verbose_name = _('user')
        verbose_name_plural = _('users')

        permissions = (
            ("template_all", "access to all templates"),
        )

ViewName .___ mro ____ 

(<class 'template.views.templateList'>, <class 'django.contrib.auth.mixins.PermissionRequiredMixin'>, <class 'django.contrib.auth.mixins.AccessMixin'>, <class 'django.views.generic.base.TemplateView'>, <class 'django.views.generic.base.TemplateResponseMixin'>, <class 'django.views.generic.base.ContextMixin'>, <class 'django.views.generic.base.View'>, <class 'object'>)
views.py中的

self.request.user.has_perms('accounts.template_all')返回正确的布尔值,但是self.has_permission()每次都返回True。 permission_required无效,即使打印返回假,用户仍然可以看到页面。 self.get_permission_required alos返回正确的值。帮助表示赞赏。

1 个答案:

答案 0 :(得分:2)

简而言之PermissionRequiredMixin基类应该放在TemplateView基类之前 ,这样MRO是正确的,并且调度指向PermissionRequiredMixin的替代。

PermissionRequiredMixindispatch(..)方法打了补丁(它添加了额外的检查,以查看用户是否具有适当的权限)。但是,在这里,您按顺序放置了子类,结果是dispatch(..)函数是View类的函数。

实际上,如果我们看一下MRO,就会看到:

>>> ViewName.__mro__
(<class 'ViewName'>, <class 'django.views.generic.base.TemplateView'>, <class 'django.views.generic.base.TemplateResponseMixin'>, <class 'django.views.generic.base.ContextMixin'>, <class 'django.views.generic.base.View'>, <class 'django.contrib.auth.mixins.PermissionRequiredMixin'>, <class 'django.contrib.auth.mixins.AccessMixin'>, <class 'object'>)

,如果我们看一下调用.dispatch(..)时所调用的方法,我们会看到:

>>> ViewName.dispatch
<function View.dispatch at 0x7f169e8f6620>

为了让mixin覆盖原始的.dispatch(..)函数,我们需要将其放在基类中,例如:

# PermissionRequiredMixin is put before TemplateView

class ViewName(PermissionRequiredMixin, TemplateView):
    permission_required = 'accounts.action_all'
    # ...

然后我们看到:

>>> ViewName.__mro__
(<class 'ViewName'>, <class 'django.contrib.auth.mixins.PermissionRequiredMixin'>, <class 'django.contrib.auth.mixins.AccessMixin'>, <class 'django.views.generic.base.TemplateView'>, <class 'django.views.generic.base.TemplateResponseMixin'>, <class 'django.views.generic.base.ContextMixin'>, <class 'django.views.generic.base.View'>, <class 'object'>)
>>> ViewName.dispatch
<function PermissionRequiredMixin.dispatch at 0x7f168b41d620>
相关问题
最新问题