在Django中查看权限 [英] View permissions in Django

问题描述

由于django管理员在auth中具有三个权限:添加，更改，删除！我想在管理面板的此auth中添加查看权限.我知道我必须自定义权限才能在"auth |权限|可以查看权限"中添加查看权限以查看所有条目！

As django admin has three permissions in it's auth : add, change, delete! I want to add view permission in this auth in admin panel.I know i have to customize permissions to add view permission in 'auth|permission|can view permission' to view all entries!

方式:

[X] 1.在默认权限列表中添加了视图"

[X] 1. Added 'view' to default permission list

#./contrib/auth/management/init.py
def _get_all_permissions(opts):

    "Returns (codename, name) for all permissions in the given opts."
    perms = []
    for action in ('add', 'change', 'delete', 'view'):

        perms.append((_get_permission_codename(action, opts), u'Can %s %s' % (action, opts.verbose_name_raw)))

    return perms + list(opts.permissions)

[X] 2.测试将视图"权限添加到所有模型中

[X] 2. Test the 'view' permission is added to all models

run manage.py syncdb

我确认现在已为auth_permissions表中的所有表添加了查看权限

I confirmed that view permission is now added for all tables in the auth_permissions table

[X] 3.将"get_view_permission"添加到默认模型类.

[X] 3. Add "get_view_permission" to default model class.

将get_view_permission添加到模型类中.您可以在文件./db/models/options.py中找到它.下一步，管理类将使用它.

Added get_view_permission to the model class. You can find this in the file ./db/models/options.py This is used by the admin class in the next step.

def get_view_permission(self):

    return 'view_%s' % self.object_name.lower()

[X] 4.将"has_view_permission"添加到默认管理类中

[X] 4. Add "has_view_permission" to default admin class

为了保持一致，我将向系统添加"has_view_permission".看起来它应该在 contrib/admin/options.py 中的某个位置.确保用户是否具有更改权限，然后会自动隐含查看权限.

Just to be consistent I'm going to add "has_view_permission" to the system. Looks like it should be somewhere in contrib/admin/options.py. Made sure if the user has has change permission, then view permissions are automatically implied.

# /contrib/admin/options.py
# Added has_view_permissions
def has_view_permission(self, request, obj=None):

    """
    Returns True if the given request has permission to change or view
    the given Django model instance.


    If obj is None, this should return True if the given request has
    permission to change *any* object of the given type.
    """
    opts = self.opts
    return self.has_change_permission(request, obj) or \

        request.user.has_perm(opts.app_label + '.' + opts.get_view_permission())


# modified get_model_perms to include 'view' too.
# No idea where this may be used, but trying to stay consistent
def get_model_perms(self, request):

    """
    Returns a dict of all perms for this model. This dict has the keys
    add, change, and delete and view mapping to the True/False
    for each of those actions.
    """
    return {

        'add': self.has_add_permission(request),
        'change': self.has_change_permission(request),
        'delete': self.has_delete_permission(request),
        'view': self.has_view_permission(request),

    }


# modified response_add function to return the user to the mode list
# if they added a unit and have view rights
...

    else:

        self.message_user(request, msg)

        # Figure out where to redirect. If the user has change permission,
        # redirect to the change-list page for this object. Otherwise,
        # redirect to the admin index.
        #if self.has_change_permission(request, None):
        if self.has_change_permission(request, None) or self.has_view_permission(request, None):

            post_url = '../'

        else:

            post_url = '../../../'

        return HttpResponseRedirect(post_url)

    # modified the change_view function so it becomes the details
    # for users with view permission

        #if not self.has_change_permission(request, obj):
        if not (self.has_change_permission(request, obj) or (self.has_view_permission(request, obj) and not request.POST)):

            raise PermissionDenied

        # modified the changelist_view function so it shows the list of items
        # if you have view permissions

def changelist_view(self, request, extra_context=None):

            "The 'change list' admin view for this model."
            from django.contrib.admin.views.main import ChangeList, ERROR_FLAG
            opts = self.model._meta
            app_label = opts.app_label
            #if not self.has_change_permission(request, None):
            if not (self.has_change_permission(request, None) or self.has_view_permission(request, None)):

                raise PermissionDenied

[X] 5.如果用户具有查看权限，则更新默认模板以列出模型

[X] 5. Update default template to list models if user has view permission

我在contrib/admin/templates/admin/index.html中修改了默认模板.也可以通过将文件复制到本地模板目录来解决.我对两者进行了更改，因此如果以后的升级覆盖了我的更改，我将获得一份副本.

I modified the default template in contrib/admin/templates/admin/index.html. This could also be handled by copying the file to the local templates directory instead. I made changes in both so I have a copy if a later upgrade overwrites my changes.

{% for model in app.models %}

    <tr>
    {% if model.perms.change %}

        <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>

    {% else %}

        {% if model.perms.view %}

            <th scope="row"><a href="{{ model.admin_url }}">{{ model.name }}</a></th>

        {% else %}

            <th scope="row">{{ model.name }}</th>

        {% endif %}

    {% endif %}

[X] 6.确认用户可以查看"但不能更改"模型

[X] 6. Confirm user can "view" but not "change" the model

找到的contrib/admin/templatetags/admin_modify.py出现以控制是否显示保存/保存和继续按钮.将保存"字段从默认值始终更改为True，以检查上下文和权限.如果用户具有更改或添加权限，则应该能够保存.

Found contrib/admin/templatetags/admin_modify.py appears to control save / save and continue buttons appearing or not. Changed "save" field from default of always True, to check for context and permissions. User should be able to save if they have change or add permissions.

'show_save': (change and context['has_change_permission']) or (context['add'] and context['has_add_permission'])

[X] 7.如果用户正在查看某项，则删除保存并添加另一个"按钮

[X] 7. Remove "Save and Add another" button if user is viewing an item

再次修改了contrib/admin/templatetags/admin_modify.py.我不知道'save_as'是什么意思，所以也许我弄坏了一些东西，但它似乎起作用.

Modified contrib/admin/templatetags/admin_modify.py again. I don't know what 'save_as' means so maybe I broke something, but it seems to work.

#'show_save_and_add_another': context['has_add_permission'] and
# not is_popup and (not save_as or context['add']) ,
'show_save_and_add_another': not is_popup and
    (( change and context['has_change_permission']) or (context['add'] and context['has_add_permission']))
    and
    (not save_as or context['add']),

[X] 8.修改查看"权限以使表单只读

[X] 8. Modify "view" permission to make form read only

如果用户具有查看"权限和更改"权限，则什么都不做.更改替代视图.

If the user has "view" permission and "change" permission, then do nothing. Change overrides view.

如果用户具有查看"权限而没有更改"，则更改默认表单，并向表单元素添加DISABLED或READONLY属性.并非所有浏览器都支持此功能，但出于我的目的，我可以要求用户使用正确的浏览器. [禁用/只读示例] [1]

If the user has "view" permission without "change" then change the default forms and add DISABLED or READONLY attributes to the form elements. Not all browsers support this, but for my purposes I can require that users use the right one. [Disabled / Readonly example][1]

发现并非所有浏览器都支持只读"，因此将某些控件设置为只读，将其他控件设置为禁用.这样，用户可以根据需要从文本控件复制数据.

Found that not all browsers honor "readonly" so it sets some controls to readonly, others to disabled. This allows users to copy data from the text controls if needed.

#/django/contrib/admin/templates/admin/change_form.html


{# JavaScript for prepopulated fields #}
{% prepopulated_fields_js %}


</div>
</form></div>
{% if has_view_permission and not has_change_permission %}

    <script type="text/javascript">
    jQuery('input:text').attr('readonly', 'readonly');
    jQuery('textarea').attr('readonly', 'readonly');
    jQuery('input:checkbox').attr('disabled', true);
    jQuery('select').attr('disabled', true);
    jQuery('.add-another').hide();
    </script>

{% endif %}

答案来源:我如何修改django以创建视图"权限?

问题:在完成上述回答后，我已经完成，可以看到此127.0.0.1:8000/zh-cn/admin/页面为只读**，但看不到用户127.0.0.1: 8000/zh-CN/admin/user .需要帮助！**

推荐答案

Django 2.1在默认权限中添加了查看权限.以下解决方案可以在Django的早期版本中使用. https://docs.djangoproject.com/zh/2.1 /releases/2.1/#model-view-permission

Django 2.1 added a view permission to the default permissions. The solution below may work in earlier versions of Django. https://docs.djangoproject.com/en/2.1/releases/2.1/#model-view-permission

这是在Django 1.6.2中测试过的有效解决方案

This is a working solution tested in Django 1.6.2

[X] 1. Added 'view' to default permission list:确定
[X] 2. Test the 'view' permission is added to all models:确定

[X] 1. Added 'view' to default permission list: OK
[X] 2. Test the 'view' permission is added to all models: OK

[X] 3. Add "get_view_permission" to default model class.不再有用:

def get_add_permission(self):
    """
    This method has been deprecated in favor of
    `django.contrib.auth.get_permission_codename`. refs #20642
    """
    warnings.warn(
        "`Options.get_add_permission` has been deprecated in favor "
        "of `django.contrib.auth.get_permission_codename`.",
        PendingDeprecationWarning, stacklevel=2)
    return 'add_%s' % self.model_name

所有这些方法get_foo_permission

[X] 4. Add "has_view_permission" to default admin class应该是:

def has_view_permission(self, request, obj=None):
    """
    Returns True if the given request has permission to change or view
    the given Django model instance.


    If obj is None, this should return True if the given request has
    permission to change *any* object of the given type.
    """
    opts = self.opts
    codename = get_permission_codename('view', opts)
    return self.has_change_permission(request, obj) or \
        request.user.has_perm("%s.%s" % (opts.app_label, codename))

如果模型是内联模型，请检查其正确性，因此需要注意正确的视图

if the model is an inline one check its right, so need to be aware of the right view

def get_inline_instances(self, request, obj=None):

    ...

    if not (inline.has_add_permission(request) or
            inline.has_change_permission(request, obj) or
            inline.has_delete_permission(request, obj) or
            inline.has_view_permission(request, obj)):  # add the view right
        continue

    ...

在get_model_perms上进行修改以包含视图"，以相同的想法执行此操作:

Do the modification on get_model_perms to include 'view', in the same idea do this one:

def render_change_form(self, request, context, add=False, change=False, form_url='', obj=None):

    ...

    context.update({

        ...

        'has_view_permission': self.has_view_permission(request, obj), # add the view right

        ...

    })

    ....

允许右视图"呈现一个对象的页面，并禁用右视图"以保存在页面上所做的修改，以避免[X] 8. Modify "view" permission to make form read only

Allow the 'right view' to render the page (of one object) and disable the 'right view' to save the modification done on a page avoid [X] 8. Modify "view" permission to make form read only

@csrf_protect_m
@transaction.atomic
def change_view(self, request, object_id, form_url='', extra_context=None):
    "The 'change' admin view for this model."
    model = self.model
    opts = model._meta

    obj = self.get_object(request, unquote(object_id))

    # addthe view right
    if not (self.has_view_permission(request, obj) or
            self.has_change_permission(request, obj)):
        raise PermissionDenied

    ...

    inline_instances = self.get_inline_instances(request, obj)
    # do not save the change if I'm not allowed to:
    if request.method == 'POST' and self.has_change_permission(request, obj):
        form = ModelForm(request.POST, request.FILES, instance=obj)

    ...

允许右视图"呈现页面(所有对象的列表)

Allow the 'right view' to render the page (the list of all objects)

@csrf_protect_m
def changelist_view(self, request, extra_context=None):
    """
    The 'change list' admin view for this model.
    """
    from django.contrib.admin.views.main import ERROR_FLAG
    opts = self.model._meta
    app_label = opts.app_label
    # allow user with the view right to see the page
    if not (self.has_view_permission(request, None) or
            self.has_change_permission(request, None)):
        raise PermissionDenied

    ....

[X] 5. Update default template to list models if user has view permission:可以，但是要避免修改html模板，请编辑此文件:contrib/admin/site.py

[X] 5. Update default template to list models if user has view permission: OK but to avoid to modify the html template edit this file: contrib/admin/site.py

class AdminSite(object):

    @never_cache
    def index(self, request, extra_context=None):

        ...

        # add the view right
        if perms.get('view', False) or perms.get('change', False):
        try:
            model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name)
        except NoReverseMatch:
            pass

        ...

    def app_index(self, request, app_label, extra_context=None):

        ...

        # add the view right
        if perms.get('view', False) or perms.get('change', False):
            try:
                model_dict['admin_url'] = reverse('admin:%s_%s_changelist' % info, current_app=self.name)
            except NoReverseMatch:
                pass

        ...

[X] 6. Confirm user can "view" but not "change" the model和[X] 7. Remove "Save and Add another" button if user is viewing an item:应该可以，但我做到了:

[X] 6. Confirm user can "view" but not "change" the model and [X] 7. Remove "Save and Add another" button if user is viewing an item: should be ok but i did that:

'show_save_as_new': context['has_add_permission'] and not is_popup and change and save_as,
'show_save': context['has_change_permission'],

[X] 8.修改查看"权限以使表单只读:好的，但是我有上面提到的其他解决方案

[X] 8. Modify "view" permission to make form read only: Ok but i have an other solution see above

这篇关于在Django中查看权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！