update backend/dvadmin/utils/permission.py.
1)删除权限判断无效代码 2)url权限正则优化,防止权限扩大pull/59/head
chuanwei
Gitee
parent
3d1f5225c2
commit
2224249ae3
|
|
@ -67,13 +67,13 @@ class CustomPermission(BasePermission):
|
|||
return False
|
||||
# 对ViewSet下的def方法进行权限判断
|
||||
# 当权限为空时,则可以访问
|
||||
is_head = getattr(view, 'head', None)
|
||||
if is_head:
|
||||
head_kwargs = getattr(view.head, 'kwargs', None)
|
||||
if head_kwargs:
|
||||
_permission_classes = getattr(head_kwargs, 'permission_classes', None)
|
||||
if _permission_classes is None:
|
||||
return True
|
||||
# is_head = getattr(view, 'head', None)
|
||||
# if is_head:
|
||||
# head_kwargs = getattr(view.head, 'kwargs', None)
|
||||
# if head_kwargs:
|
||||
# _permission_classes = getattr(head_kwargs, 'permission_classes', None)
|
||||
# if _permission_classes is None:
|
||||
# return True
|
||||
# 判断是否是超级管理员
|
||||
if request.user.is_superuser:
|
||||
return True
|
||||
|
|
@ -85,14 +85,14 @@ class CustomPermission(BasePermission):
|
|||
# ***接口白名单***
|
||||
api_white_list = ApiWhiteList.objects.values(permission__api=F('url'), permission__method=F('method'))
|
||||
api_white_list = [
|
||||
str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for
|
||||
str(item.get('permission__api').replace('{id}', '\d+')) + ":" + str(item.get('permission__method')) for
|
||||
item in api_white_list if item.get('permission__api')]
|
||||
# ********#
|
||||
if not hasattr(request.user, "role"):
|
||||
return False
|
||||
userApiList = request.user.role.values('permission__api', 'permission__method') # 获取当前用户的角色拥有的所有接口
|
||||
ApiList = [
|
||||
str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for
|
||||
str(item.get('permission__api').replace('{id}', '\d+')) + ":" + str(item.get('permission__method')) for
|
||||
item in
|
||||
userApiList if item.get('permission__api')]
|
||||
new_api_ist = api_white_list + ApiList
|
||||
|
|
|
|||
Loading…
Reference in New Issue