gitee
/
django-vue-admin
mirror of https://gitee.com/liqianglog/django-vue-admin
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update backend/dvadmin/utils/permission.py. 

1)删除权限判断无效代码
2)url权限正则优化,防止权限扩大
pull/59/head
chuanwei 2022-05-30 14:34:00 +00:00 committed by Gitee
parent 3d1f5225c2
commit 2224249ae3
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
backend/dvadmin/utils/permission.py
View File

@ -67,13 +67,13 @@ class CustomPermission(BasePermission):
return False return False
# 对ViewSet下的def方法进行权限判断 # 对ViewSet下的def方法进行权限判断
# 当权限为空时,则可以访问 # 当权限为空时,则可以访问
is_head = getattr(view, 'head', None) # is_head = getattr(view, 'head', None)
if is_head: # if is_head:
head_kwargs = getattr(view.head, 'kwargs', None) # head_kwargs = getattr(view.head, 'kwargs', None)
if head_kwargs: # if head_kwargs:
_permission_classes = getattr(head_kwargs, 'permission_classes', None) # _permission_classes = getattr(head_kwargs, 'permission_classes', None)
if _permission_classes is None: # if _permission_classes is None:
return True # return True
# 判断是否是超级管理员 # 判断是否是超级管理员
if request.user.is_superuser: if request.user.is_superuser:
return True return True
@ -85,14 +85,14 @@ class CustomPermission(BasePermission):
# ***接口白名单*** # ***接口白名单***
api_white_list = ApiWhiteList.objects.values(permission__api=F('url'), permission__method=F('method')) api_white_list = ApiWhiteList.objects.values(permission__api=F('url'), permission__method=F('method'))
api_white_list = [ api_white_list = [
str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for str(item.get('permission__api').replace('{id}', '\d+')) + ":" + str(item.get('permission__method')) for
item in api_white_list if item.get('permission__api')] item in api_white_list if item.get('permission__api')]
# ********# # ********#
if not hasattr(request.user, "role"): if not hasattr(request.user, "role"):
return False return False
userApiList = request.user.role.values('permission__api', 'permission__method') # 获取当前用户的角色拥有的所有接口 userApiList = request.user.role.values('permission__api', 'permission__method') # 获取当前用户的角色拥有的所有接口
ApiList = [ ApiList = [
str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for str(item.get('permission__api').replace('{id}', '\d+')) + ":" + str(item.get('permission__method')) for
item in item in
userApiList if item.get('permission__api')] userApiList if item.get('permission__api')]
new_api_ist = api_white_list + ApiList new_api_ist = api_white_list + ApiList