使用编程方式创建带有权限的Django用户组

Question

使用编程方式创建带有权限的Django用户组

70

在管理员控制台中，我可以添加一个组并添加一堆与我的模型相关的权限，例如。

api | project | Can add project
api | project | Can change project
api | project | Can delete project

我该如何以编程的方式实现这个功能？我在网络上找不到关于如何实现这个功能的任何信息。

我的代码如下：

from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType

from api.models import Project


new_group, created = Group.objects.get_or_create(name='new_group')
# Code to add permission to group ???
ct = ContentType.objects.get_for_model(Project)
# Now what - Say I want to add 'Can add project' permission to new_group?

更新：感谢您提供的答案。我能够使用它来解决我的问题。在我的情况下，我可以这样做：

new_group, created = Group.objects.get_or_create(name='new_group')
proj_add_perm = Permission.objects.get(name='Can add project')
new_group.permissions.add(proj_add_perm)

- Steve Walsh

3

针对你所说的“更新”，你的意思是new_group.permissions.add(proj_add_perm)。 - CpILL

1

抱歉问一下，你把权限脚本放在哪里了？是和models.py放在同一个目录下吗？ - Elias Prado

4个回答

43

我需要为一些组创建一个默认的权限（只能查看）。我编写了一个manage.py命令，可以供其他人使用（create_groups.py）。您可以将其添加到您的<app>/management/commands目录中，然后通过manage.py create_groups运行：

"""
Create permission groups
Create permissions (read only) to models for a set of groups
"""
import logging

from django.core.management.base import BaseCommand
from django.contrib.auth.models import Group
from django.contrib.auth.models import Permission

GROUPS = ['developers', 'devops', 'qa', 'operators', 'product']
MODELS = ['video', 'article', 'license', 'list', 'page', 'client']
PERMISSIONS = ['view', ]  # For now only view permission by default for all, others include add, delete, change


class Command(BaseCommand):
    help = 'Creates read only default permission groups for users'

    def handle(self, *args, **options):
        for group in GROUPS:
            new_group, created = Group.objects.get_or_create(name=group)
            for model in MODELS:
                for permission in PERMISSIONS:
                    name = 'Can {} {}'.format(permission, model)
                    print("Creating {}".format(name))

                    try:
                        model_add_perm = Permission.objects.get(name=name)
                    except Permission.DoesNotExist:
                        logging.warning("Permission not found with name '{}'.".format(name))
                        continue

                    new_group.permissions.add(model_add_perm)

        print("Created default group and permissions.")

更新：现在更加复杂了：

from django.contrib.auth.models import Group
from django.contrib.auth.models import User
from django.contrib.auth.models import Permission
from django.contrib.contenttypes.models import ContentType


READ_PERMISSIONS = ['view', ]  # For now only view permission by default for all, others include add, delete, change
WRITE_PERMISSIONS = ['add', 'change', 'delete']
EMAIL_USER_DOMAIN = 'your-domain.com'

# Add your groups here, app and model code
GROUP_MODEL = ('auth', 'group')
USER_MODEL = ('auth', 'user')
PERMISSION_MODEL = ('auth', 'permission')
LOG_ENTRY_MODEL = ('admin', 'logentry')


def add_group_permissions(group_names, model_natural_keys, permissions):
    """
    Add permissions to the provided groups for the listed models.
    Error raised if permission or `ContentType` can't be found.

    :param group_names: iterable of group names
    :param model_natural_keys: iterable of 2-tuples containing natural keys for ContentType
    :param permissions: iterable of str (permission names i.e. add, view)
    """
    for group_name in group_names:
        group, created = Group.objects.get_or_create(name=group_name)

        for model_natural_key in model_natural_keys:
            perm_to_add = []
            for permission in permissions:
                # using the 2nd element of `model_natural_key` which is the
                #  model name to derive the permission `codename`
                permission_codename = f"{permission}_{model_natural_key[1]}"
                try:
                    perm_to_add.append(
                        Permission.objects.get_by_natural_key(
                            permission_codename, *model_natural_key
                        )
                    )
                except Permission.DoesNotExist:
                    # trying to add a permission that doesn't exist; log and continue
                    logging.error(
                        f"permissions.add_group_permissions Permission not found with name {permission_codename!r}."
                    )
                    raise
                except ContentType.DoesNotExist:
                    # trying to add a permission that doesn't exist; log and continue
                    logging.error(
                        "permissions.add_group_permissions ContentType not found with "
                        f"natural name {model_natural_key!r}."
                    )
                    raise

            group.permissions.add(*perm_to_add)


def set_users_group(users, group):
    """
    Adds users to specific permission group.
    If user or group does not exist, they are created.
    Intended for use with special users for api key auth.
    :param users: list of str, usernames
    :param group: str, group for which users should be added to
    :return: list, user objects added to group
    """
    users = users or []
    user_objs = []
    for user_name in users:
        try:
            user = User.objects.get(username=user_name)
        except User.DoesNotExist:
            user = User.objects.create_user(username=user_name,
                                            email=f'{user_name}@{EMAIL_USER_DOMAIN}',
                                            password='')
        user_objs.append(user)
        group, created = Group.objects.get_or_create(name=group)
        group.user_set.add(user)

    return user_objs


API_READ_GROUP = 'api-read-users'
API_WRITE_GROUP = 'api-write-users'
READ_GROUPS = [API_READ_GROUP, ]
WRITE_GROUPS = [API_WRITE_GROUP, ]  # Can be used in same way as read users below

# Adding users to a group
set_users_group(READ_USERS, API_READ_GROUP)

# Setting up the group permissions i.e. read for a group of models
add_group_permissions(READ_GROUPS, [GROUP_MODEL, USER_MODEL, LOG_ENTRY_MODEL], READ_PERMISSIONS)

我还发现使用manage.py update_permissions非常有用，可以在模型更改等情况下整理/清理过期的权限。它是Django扩展命令的一部分。

- radtek

1

注意，模型名称应该是小写，以空格分隔，例如，对于 UserInfo，应传递 user info。或者可以根据权限代码名称查找权限，例如 view_userinfo。 - Chris

2

请注意，模型名称将根据您的模型上是否指定了“verbose_name”而更改。 - radtek

1

不错。您可能想使用“代号”而不是“名称”，并且在情况下过滤content_type，以防在不同的应用程序中使用相同的model_name： MODELS = ['my_app.video'，.... app_label，model_name = MODELS[n].split（'.'）... content_type = ContentType.objects.get（app_label = app_label，model = model_name）... model_add_perm = Permission.objects.get（codename = codename，content_type = content_type） - Mario Orlandi

除了 management/commands，哪里是添加此脚本的最佳位置？ - Elias Prado

拥有管理命令用于创建和添加组和权限，相比将代码添加到models.py中，有哪些优点？ - Nnaobi

@EliasPrado manage.py searches 的搜索路径为 management/commands 目录，因此管理命令应该放在那里。 - Nnaobi

23

受radtek答案的启发，我创建了一个更好的版本（在我看来）。它允许将模型指定为对象（而不是字符串），并在一个字典中指定所有配置（而不是多个列表）。

# backend/management/commands/initgroups.py
from django.core.management import BaseCommand
from django.contrib.auth.models import Group, Permission

from backend import models

GROUPS_PERMISSIONS = {
    'ConnectionAdmins': {
        models.StaticCredentials: ['add', 'change', 'delete', 'view'],
        models.NamedCredentials: ['add', 'change', 'delete', 'view'],
        models.Folder: ['add', 'change', 'delete', 'view'],
        models.AppSettings: ['view'],
    },
}

class Command(BaseCommand):
    def __init__(self, *args, **kwargs):
        super(Command, self).__init__(*args, **kwargs)

    help = "Create default groups"

    def handle(self, *args, **options):
        # Loop groups
        for group_name in GROUPS_PERMISSIONS:

            # Get or create group
            group, created = Group.objects.get_or_create(name=group_name)

            # Loop models in group
            for model_cls in GROUPS_PERMISSIONS[group_name]:

                # Loop permissions in group/model
                for perm_index, perm_name in \
                        enumerate(GROUPS_PERMISSIONS[group_name][model_cls]):

                    # Generate permission name as Django would generate it
                    codename = perm_name + "_" + model_cls._meta.model_name

                    try:
                        # Find permission object and add to group
                        perm = Permission.objects.get(codename=codename)
                        group.permissions.add(perm)
                        self.stdout.write("Adding "
                                          + codename
                                          + " to group "
                                          + group.__str__())
                    except Permission.DoesNotExist:
                        self.stdout.write(codename + " not found")

- Pavel

2

谢谢。你还应该根据content_type进行过滤，以防同一个model_name被不同的应用程序使用。所以：perm = Permission.objects.get(codename=codename, content_type=content_type)，其中：content_type = ContentType.objects.get(app_label=app_label, model=model_name)。 - Mario Orlandi

谢谢您。我唯一会做的更改是删除__init__方法的定义。在这里似乎没有任何作用。 - Thismatters

谢谢。这个想法很好，但代码本身可以改进。例如，为什么要使用 enumerate？另外，在迭代 dict 时，您可能希望使用 dict.items() 同时获取键和值。尽管如此，非常感谢。 - Jacques Gaudin

为什么我的代码中的 "from backend import models" 无法正常工作？这是 Django 3.1 的问题。 - logicOnAbstractions

1

抱歉，我刚看到那是你的目录结构。 - logicOnAbstractions

显示剩余3条评论

13

参考@radtek和@Pavel的答案，我创建了自己的create_groups.py版本，使用python manage.py create_groups调用。该文件存储在app_name/management/commands/create_groups.py中。我在管理和命令文件夹内分别创建了__init__.py。

我创建了分别控制每个模型权限的可能性，因为我有一组名为Member的用户，他们必须对不同的模型具有不同的权限。我还添加了使用电子邮件创建用户并设置默认密码的可能性，然后将其与某个组关联。

from django.core.management import BaseCommand
from django.contrib.auth.models import User, Group , Permission
import logging

GROUPS = {
    "Administration": {
        #general permissions
        "log entry" : ["add","delete","change","view"],
        "group" : ["add","delete","change","view"],
        "permission" : ["add","delete","change","view"],
        "user" : ["add","delete","change","view"],
        "content type" : ["add","delete","change","view"],
        "session" : ["add","delete","change","view"],

        #django app model specific permissions
        "project" : ["add","delete","change","view"],
        "order" : ["add","delete","change","view"],
        "staff time sheet" : ["add","delete","change","view"],
        "staff" : ["add","delete","change","view"],
        "client" : ["add","delete","change","view"],       
    },

    "Member": {
        #django app model specific permissions
        "project" : ["view"],
        "order" : ["view"],
        "staff time sheet" : ["add","delete","change","view"],
    },
}


USERS = {
    "my_member_user" : ["Member","member@domain.cu","1234*"],
    "my_admin_user" :  ["Administration","admin@domain.ca","1234"],
    "Admin" : ["Administration","superuser@domain.cu","1234"],
}

class Command(BaseCommand):

    help = "Creates read only default permission groups for users"

    def handle(self, *args, **options):

        for group_name in GROUPS:

            new_group, created = Group.objects.get_or_create(name=group_name)

            # Loop models in group
            for app_model in GROUPS[group_name]:

                # Loop permissions in group/model
                for permission_name in GROUPS[group_name][app_model]:

                    # Generate permission name as Django would generate it
                    name = "Can {} {}".format(permission_name, app_model)
                    print("Creating {}".format(name))

                    try:
                        model_add_perm = Permission.objects.get(name=name)
                    except Permission.DoesNotExist:
                        logging.warning("Permission not found with name '{}'.".format(name))
                        continue

                    new_group.permissions.add(model_add_perm)


            for user_name in USERS:

                new_user = None
                if user_name == "Admin":
                    new_user, created = User.objects.get_or_create(username=user_name,is_staff = True,is_superuser = True, email = USERS[user_name][1])
                else:
                    new_user, created = User.objects.get_or_create(username=user_name,is_staff = True, email = USERS[user_name][1])

                new_user.set_password(USERS[user_name][2])
                new_user.save()

                if USERS[user_name][0] == str(new_group):

                    new_group.user_set.add(new_user)

                    print("Adding {} to {}".format(user_name,new_group))

- VMMF

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- anuragal · Accepted Answer

请使用以下代码

from django.contrib.auth.models import Group, Permission
from django.contrib.contenttypes.models import ContentType
from api.models import Project
new_group, created = Group.objects.get_or_create(name='new_group')
# Code to add permission to group ???
ct = ContentType.objects.get_for_model(Project)

# Now what - Say I want to add 'Can add project' permission to new_group?
permission = Permission.objects.create(codename='can_add_project',
                                   name='Can add project',
                                   content_type=ct)
new_group.permissions.add(permission)