background
Permission system is inevitable in the background, this article shares our permission system implementation scheme.
Before sharing, let’s briefly introduce our platform business. We are the Quality Department, and our platform connects with multiple business departments, so we need to achieve:
- Many users
- Multiple projects
- Three kinds of roles
Different users have different roles in projects of different departments. Each role has different operation permissions on different interfaces. For example:
- Only Admin can delete data
- All users have access to data
- Only Operator can modify data
The above is the simplified permission system requirements, the following implementation scheme.
Design and Implementation
In django-Model serialization returns a natural primary key, we learned about the DRF serialization module. In addition to serialization, DRF encapsulates many useful functions. For example, our current platform APIView is derived from the DRF APIView class. There are Pagination classes, Permission classes, and so on.
Our solution for implementing permission control is borrowed from DRF’s DjangoModelPermission class.
Djangos Permission module already has User, Group, and Permission data models and relationships. The reason why we don’t use the official Permission module or DRF Permission module directly is that both of them are based on the CURD of the data model and can be configured, but configuration and data migration are relatively difficult. The point is that the service does not need elaborate and flexible permission configuration, so it is not adopted.
Role relationship
Users have different roles in different projects, and a project may have multiple users. Therefore, the relationship between users, projects, and roles is as follows: The user and project form a combined primary key, corresponding to one role.
User-project-role relationships:
Project-user-role relationships:
A table displays information about roles of a user in different products, all users in a product, and their permissions, facilitating role configuration in two dimensions.
The data model
from django.db import models
from django.conf import settings
from myapp.codes import role
class UserProjectRole(models.Model):
User - Project - Role relationship Table
user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE)
project = models.ForeignKey('myapp.Project', on_delete=models.CASCADE)
role = models.IntegerField(default=role.GUEST)
class Meta:
db_table = 'myapp_user_project_role'
unique_together = ['user'.'project']
Copy the code
Roles and the Session
Although a user has different roles in different projects, the user can access only one project at a time. Therefore, the current product and corresponding roles can be directly saved in the user’s Session to reduce the process of frequent database query.
Code implementation
def get_or_create_role(user_id, project_id, session, default_role=role.GUEST):
Get the current user's role based on session
role = session.get('role')
if not role:
role_rel_obj, _ = AuthGroup.objects.get_or_create(
user_id=user_id,
project_id=project_id,
default={'role': default_role})
session['role'] = role_rel_obj.role
return role
Copy the code
Role Initialization
When a user first selects an item, a piece of data is inserted into the myapp_USER_PROJect_ROLE table.
It’s worth noting that Djangos auth_user table has a field that can be used to determine if a user is an administrator. I use auth_user.is_staff == 1 as the admin, and admin permissions can only be changed via Django’s admin site to ensure that admin users don’t get demoted.
If the user is an administrator, insert the admin role. Otherwise, insert the Guest role. The Operator role is created by configuring an interface.
Code implementation
class SelectProject(MyAPIView):
def post(self, request, project_id):
""" Select items """
default_role = role.ADMIN if is_admin(request.user) else role.GUEST
role_rel_obj, _ = UserProjectRole.objects.get_or_create(
user=request.user,
project_id=project_id,
defaults={'role': default_role})
request.session['role'] = role_rel_obj.role
...
Copy the code
Permissions on the relationship between
The permission refers to the operation permission for each interface to send different request methods.
Interface-request method-Role relationship:
DRF DjangoModelPermission classes
DjangoModelPermission Full source code access its source code.
Now let’s examine the implementation of this class.
First is the description in docString: It ensures that the user is authenticated, and has the appropriate add/change/delete permissions on the model. And a mapping between request types and permissions:
perms_map = {
'GET': [].'OPTIONS': [].'HEAD': [].'POST': ['%(app_label)s.add_%(model_name)s'].'PUT': ['%(app_label)s.change_%(model_name)s'].'PATCH': ['%(app_label)s.change_%(model_name)s'].'DELETE': ['%(app_label)s.delete_%(model_name)s'],}Copy the code
As you can see, this permission class controls permissions based on the relationship between the CURD of the data model and the request type.
Then look at the definitions of two class methods:
get_required_permissions
: Gives a request type and returns a list of permissions required for that request typehas_permission
: Checks whether the user has the permission to execute the request
The has_permission method is defined in the parent class BasePermission. Returning True indicates permission, otherwise it is caught in the APIView and returns 403.
With the general logic, we can rewrite a RolePermissions class.
Code implementation
Since we directly control the different request methods of the interface, we need to define a list of permissions for each request method. To simplify writing, I changed the list to the minimum required permissions:
class MyAPI(MyAPIView):
min_perms_map = {
'POST': role.OPERATOR,
'DELETE': role.ADMIN,
}
Copy the code
Rewrite get_required_permissions to return a list of permissions based on the minimum permissions:
def get_required_permissions(perms_map, allowed_methods, method):
"" Receives the MIN_perMS_map configured by the APIView and the sent request Method, and returns a list of roles that are allowed to request. If no permission is configured for method in the APIView, all roles are considered to have user permissions for method. "" "
if method not in perms_map:
if method not in allowed_methods:
raise exceptions.MethodNotAllowed(method)
return list(range(1, role.GUEST + 1))
return list(range(1, perms_map[method] + 1))
Copy the code
The has_perms method is defined in Djangos User data model and cannot be overridden. Create a normal method has_perms to obtain the permission for this request.
def has_perms(request, perms: list):
""" Determine user permissions in the project """
try:
role = get_or_create_role(request.user.pk, request.session)
if not role:
return False
if not perms or role in perms:
return True
return False
except:
return False
Copy the code
Set to the default Permission class
Because the RolePermission class is initialized after our application is generated, it cannot be configured in settings.py.
My solution is to rewrite a MyAPIView class that inherits from DRF’s APIView class. Configure in this class:
from rest_framework.views import APIView
from myapp.permissions import RolePermissions
class MyAPIView(APIView):
permission_class = [RolePermissions]
Copy the code
Then each interface inherits from MyAPIView.
Unit testing
In the use case that does not care about roles, we can write a switch for the MyAPIView class, such as not configuring permission_class when the variable RUN_TEST is True to bypass the restriction on permission judgments:
class MyAPIView(APIView):
if RUN_TEST is False:
permission_class = [RolePermissions]
Copy the code
conclusion
Role-based permission control (RBAC) is implemented in different services. For more refined permission management, more complex permission relationships need to be designed. Choose what works for your business.