From 6546efed52fe54c840605a7d234f305dd58afb7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=8E=E5=BC=BA?= <1206709430@qq.com>
Date: Tue, 31 May 2022 00:52:50 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DBUG:=20permission.py=E4=B8=AD?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E5=88=A4=E6=96=ADbug=E4=BF=AE=E5=A4=8D=20fix?=
 =?UTF-8?q?:https://gitee.com/liqianglog/django-vue-admin/issues/I59YV4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/dvadmin/utils/permission.py | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/backend/dvadmin/utils/permission.py b/backend/dvadmin/utils/permission.py
index 8d1f8f6..d31f49a 100644
--- a/backend/dvadmin/utils/permission.py
+++ b/backend/dvadmin/utils/permission.py
@@ -69,11 +69,11 @@ class CustomPermission(BasePermission):
         # 当权限为空时,则可以访问
         is_head = getattr(view, 'head', None)
         if is_head:
-            head_kwargs = getattr(view.head, 'kwargs', None)
-            if head_kwargs:
-                _permission_classes = getattr(head_kwargs, 'permission_classes', None)
-                if _permission_classes is None:
-                    return True
+            head_kwargs = getattr(view.head, 'kwargs', {})
+            _permission_classes = getattr(head_kwargs, 'permission_classes', None)
+            _permission_classes = head_kwargs.get('permission_classes', None)
+            if _permission_classes == []:
+                return True
         # 判断是否是超级管理员
         if request.user.is_superuser:
             return True
@@ -85,17 +85,16 @@ class CustomPermission(BasePermission):
             # ***接口白名单***
             api_white_list = ApiWhiteList.objects.values(permission__api=F('url'), permission__method=F('method'))
             api_white_list = [
-                str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for
-                item in api_white_list if item.get('permission__api')]
+                str(item.get('permission__api').replace('{id}', '([a-zA-Z0-9-]+)')) + ":" + str(
+                    item.get('permission__method')) + '$' for item in api_white_list if item.get('permission__api')]
             # ********#
             if not hasattr(request.user, "role"):
                 return False
             userApiList = request.user.role.values('permission__api', 'permission__method')  # 获取当前用户的角色拥有的所有接口
             ApiList = [
-                str(item.get('permission__api').replace('{id}', '.*?')) + ":" + str(item.get('permission__method')) for
-                item in
-                       userApiList if item.get('permission__api')]
-            new_api_ist =  api_white_list + ApiList
+                str(item.get('permission__api').replace('{id}', '([a-zA-Z0-9-]+)')) + ":" + str(
+                    item.get('permission__method')) + '$' for item in userApiList if item.get('permission__api')]
+            new_api_ist = api_white_list + ApiList
             new_api = api + ":" + str(method)
             for item in new_api_ist:
                 matchObj = re.match(item, new_api, re.M | re.I)