如何将django-rules应用到admin后台中?

项目需求:希望通过使用django-rules,在admin后台中实现对object level权限控制, 测试用例:以https://github.com/dfunckt/django-rules 中测试用例testapp尝试运行

from django.db import models
from django.conf import settings

class Book(models.Model):
    isbn = models.CharField(max_length=50, unique=True)
    title = models.CharField(max_length=100)
    author = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE)

    def __str__(self):
        return self.title
from django.contrib import admin
from rules.contrib.admin import ObjectPermissionsModelAdmin
from .models import Book

class BookAdmin(ObjectPermissionsModelAdmin):
    pass

admin.site.register(Book, BookAdmin)
import rules

# Predicates

@rules.predicate
def is_book_author(user, book):
    if not book:
        return False
    return book.author == user


@rules.predicate
def is_boss(user):
    return user.is_superuser


is_editor = rules.is_group_member('editors')

# Rules

rules.add_rule('change_book', is_book_author | is_editor)
rules.add_rule('delete_book', is_book_author)
rules.add_rule('create_book', is_boss)

# Permissions

rules.add_perm('testapp.change_book', is_book_author | is_editor)
rules.add_perm('testapp.delete_book', is_book_author)
INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rules',
    'testapp',
]
  • 实际步骤: 1.使用mysql数据库,数据表迁移生成后,进入admin后台尝试操作,用户guest1非superuser,设置拥有book的view add change delete四种权限;

  • 错误: 在admin后台使用guest1用户验证,创建文章,success;点击尝试修改文章,显示forbidden 403,如下: 页表页

尝试修改后提示信息

Q:想知道怎样才能正确使用rules?

评论 0