我的目标是限制我尝试使用decorators.py进行的“工作人员组”的访问,但是当我这样做时,它将限制我注册的每个用户,而不仅限于工作人员。当我使用admin登录时,它会给我“您无权”,该权限只应用于“工作人员”,而该人员只能看到平台的一个模板。
这里也是我管理页面的图片。
from django.http import HttpResponse
from django.shortcuts import redirect
def allowed_user(allowed_roles=[]):
def decorator(view_func):
def wrapper_func(request, *args, **kwargs):
group = None
if request.user.groups.exists():
group = request.user.groups.all()
if group in allowed_roles:
return view_func(request, *args, **kwargs)
else:
return HttpResponse(' You are not Authorized!')
return wrapper_func
return decorator
core / views.py
from django.shortcuts import render, get_object_or_404
from django.contrib.auth.models import User
from django.contrib.auth.mixins import LoginRequiredMixin
from django.views.generic.list import ListView
from .decorators import allowed_user
# Create your views here.
from quiz.models import Questions
from jobs.models import post_job
@allowed_user(allowed_roles=['Admin, Students'])
def homepage(request):
return render(request, 'core/homepage.html')
@allowed_user(allowed_roles=['Admin, Students'])
def userProfileView(request, username):
user= get_object_or_404(User, username=username)
jobs = post_job.objects.all()
categories = Questions.CAT_CHOICES
scores = []
for category in categories:
score = Questions.objects.filter(category=category[0], student= user).count()
scores.append(score)
context = {
'user' : user, 'categories_scores' : zip( categories,scores),
'jobs': jobs
}
return render(request, 'core/user_profile.html' , context)
class UserList(LoginRequiredMixin, ListView):
model = User
template_name = 'core/users.html'
account / views.py
from django.shortcuts import render, HttpResponseRedirect
from django.contrib.auth import authenticate, login
from django.contrib.auth.models import User
from accounts.forms import FormRegistrazione
from .decorators import allowed_user
# Create your views here.
def registrazioneView(request):
if request.method == "POST":
form = FormRegistrazione(request.POST)
if form.is_valid():
username = form.cleaned_data["username"]
email = form.cleaned_data["email"]
password = form.cleaned_data["password1"]
User.objects.create_user(username=username, password=password, email=email)
user = authenticate(username=username, password=password)
login(request, user)
return HttpResponseRedirect("/")
else:
form = FormRegistrazione()
context = {"form": form}
return render(request, 'accounts/registrazione.html', context)
答案 0 :(得分:4)
您的allowed_roles
是字符串,因此group in allowed_roles
将始终为false。特别是由于group
是QuerySet
中的Group
,因此是一个集合。该集合可以包含零个,一个或多个组。
您可以使用request.user.groups.filter(name__in=allowed_roles).exists()
检查该组是否存在,因此装饰器如下所示:
from functools import wraps
def allowed_user(allowed_roles=()):
def decorator(view_func):
@wraps(view_func)
def wrapper_func(request, *args, **kwargs):
if request.user.groups.filter(name__in=allowed_roles).exists():
return view_func(request, *args, **kwargs)
else:
return HttpResponse('You are not Authorized!')
return wrapper_func
return decorator