问题
I'd like to use a permissions based system to restrict certain actions within my Django application. These actions need not be related to a particular model (e.g. access to sections in the application, searching...), so I can't use the stock permissions framework directly, because the Permission model requires a reference to an installed content type.
I could write my own permission model but then I'd have to rewrite all the goodies included with the Django permissions, such as:
- The possibility to assign permissions to users and groups.
- The permission_required decorator.
- User.has_perm and related user methods.
- The perms template variable.
- ...
I've checked some apps like django-authority and django-guardian, but they seem to provide permissions even more coupled to the model system, by allowing per-object permissions.
Is there a way to reuse this framework without having defined any model (besides User
and Group
) for the project?
回答1:
Django's Permission
model requires a ContentType instance.
I think one way around it is creating a dummy ContentType
that isn't related to any model (the app_label
and model
fields can be set to any string value).
If you want it all clean and nice, you can create a Permission
proxy model that handles all the ugly details of the dummy ContentType
and creates "modelless" permission instances. You can also add a custom manager that filters out all Permission
instances related to real models.
回答2:
For those of you, who are still searching:
You can create an auxiliary model with no database table. That model can bring to your project any permission you need. There is no need to deal with ContentType or create Permission objects explicit.
from django.db import models
class RightsSupport(models.Model):
class Meta:
managed = False # No database table creation or deletion \
# operations will be performed for this model.
permissions = (
('customer_rights', 'Global customer rights'),
('vendor_rights', 'Global vendor rights'),
('any_rights', 'Global any rights'),
)
Right after manage.py migrate
you can use these permissions like any other.
# Decorator
@permission_required('app.customer_rights')
def my_search_view(request):
…
# Inside a view
def my_search_view(request):
request.user.has_perm('app.customer_rights')
# In a template
# The currently logged-in user’s permissions are stored in the template variable {{ perms }}
{% if perms.app.customer_rigths %}
<p>You can do any customer stuff</p>
{% endif %}
回答3:
Following Gonzalo's advice, I used a proxy model and a custom manager to handle my "modelless" permissions with a dummy content type.
from django.db import models
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
class GlobalPermissionManager(models.Manager):
def get_query_set(self):
return super(GlobalPermissionManager, self).\
get_query_set().filter(content_type__name='global_permission')
class GlobalPermission(Permission):
"""A global permission, not attached to a model"""
objects = GlobalPermissionManager()
class Meta:
proxy = True
def save(self, *args, **kwargs):
ct, created = ContentType.objects.get_or_create(
name="global_permission", app_label=self._meta.app_label
)
self.content_type = ct
super(GlobalPermission, self).save(*args, **kwargs)
回答4:
Fix for Chewie's answer in Django 1.8, which as been requested in a few comments.
It says in the release notes:
The name field of django.contrib.contenttypes.models.ContentType has been removed by a migration and replaced by a property. That means it’s not possible to query or filter a ContentType by this field any longer.
So it's the 'name' in reference in ContentType that the uses not in GlobalPermissions.
When I fix it I get the following:
from django.db import models
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType
class GlobalPermissionManager(models.Manager):
def get_queryset(self):
return super(GlobalPermissionManager, self).\
get_queryset().filter(content_type__model='global_permission')
class GlobalPermission(Permission):
"""A global permission, not attached to a model"""
objects = GlobalPermissionManager()
class Meta:
proxy = True
verbose_name = "global_permission"
def save(self, *args, **kwargs):
ct, created = ContentType.objects.get_or_create(
model=self._meta.verbose_name, app_label=self._meta.app_label,
)
self.content_type = ct
super(GlobalPermission, self).save(*args)
The GlobalPermissionManager class is unchanged but included for completeness.
回答5:
This is alternative solution. First ask yourself: Why not create a Dummy-Model which really exists in DB but never ever gets used, except for holding permissions? That's not nice, but I think it is valid and straight forward solution.
from django.db import models
class Permissions(models.Model):
can_search_blue_flower = 'my_app.can_search_blue_flower'
class Meta:
permissions = [
('can_search_blue_flower', 'Allowed to search for the blue flower'),
]
Above solution has the benefit, that you can use the variable Permissions.can_search_blue_flower
in your source code instead of using the literal string "my_app.can_search_blue_flower". This means less typos and more autocomplete in IDE.
回答6:
Instead of writing and running this code which inserts records into the database you could just insert the records into your database (obviously editing the primary and foreign keys as needed)
insert into django_content_type(id,name,app_label,model) values (22,'app_permission','myapp','app_permission');
insert into auth_permission(id,name,content_type_id,codename) values (64,'Is Staff Member',22,'staff_member');
And then in your application admin you would have the ability to assign 'Is Staff Member' to your users or groups. To check this permission in your class you would write
from django.contrib.auth.decorators import permission_required
from django.utils.decorators import method_decorator
from django.views.generic import TemplateView
class MyClass(TemplateView):
template_name = myapp/index.html'
@method_decorator(permission_required(['myapp.staff_member'],raise_exception=True))
def dispatch(self, *args, **kwargs):
return super(MyClass, self).dispatch(*args, **kwargs)
来源:https://stackoverflow.com/questions/13932774/how-can-i-use-django-permissions-without-defining-a-content-type-or-model