The composition of RBAC
In the RBAC model, there are three basic components: Users, roles, and permissions. RBAC controls user permissions by defining role permissions and granting a role to users. RBAC implements logical classification of users and permissions, greatly facilitating permission management
- User: Each User is identified by a unique UID and is granted a different role
- Role: Different roles have different rights
- Permission: Access Permission
- User-role mapping: Mapping between users and roles
- Role-permission mapping: mapping between roles and permissions
RBAC permission determination implementation method
- First get all the roles of the logged-in user
- Obtain the permissions of all roles
- Return True if permission is granted, False if not
from django.core.cache import cache
from rest_framework.permissions import BasePermission
def get_permission_list(user) :
# check whether user is the super administrator
if user.is_superuser:
perms_list = ['admin']
else:
perms = Permission.objects.none()
Get all of the user's roles
roles = user.roles.all(a)Get all permissions for the role
if roles:
for i in roles:
perms = perms | i.perms.all()
perms_list = perms.values_list("method", flat=True)
perms_list = list(set(perms_list))
cache.set(user.username + "__perms" + perms_list)
return perms_list
class RbacPermission(BasePermission) :
def has_permission(self, request, view) :
Check whether the user is logged in
if not request.user:
perms = ['visitor'] # If you are not logged in, consider yourself a tourist
Read permissions in the cache
perms = cache.get(user.username + "__perms" + perms_list)
if not perms:
perms = get_permission_list(request.user)
if perms:
if "admin" in perms:
Check whether you are the super administrator
return True
elif not hasattr(view, "perms_map") :# Check whether the view object has the perms_map attribute
return True
else:
perms_map = view.perms_map
Request method ()
_method = request._request.method.lower()
if perms_map:
for key in perms_map:
if key == _method or key == "*":
if perms_map[key] in perms or perms_map[key] == "*":
return True
return False
else:
return False
def has_object_permission(self, request, view, obj) :
if not request.user:
return False
Copy the codeDynamically update permissions or front-end refresh when changing user roles
from django.db.models.signals import m2m_changed
from .models import Role, Permission, User
from django.dispatch import receiver
from django.core.cache import cache
from .permission import get_permission_list
@receiver(m2m_changed, sender=User.roles.through)
def update_perms_cache_user(sender, instance, action, **kwargs) :
if action in ['post_remove'.'post_add'] :if cache.get(instance.username + "__perms".None):
get_permission_list(instance)
Copy the codeCustom permission validation is used in settings.py
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated'.'apps.system.permission.RbacPermission']}Copy the code