def has_obj_perm(user, obj):
"""
数据权限控权
返回对象的是否可以操作
需要控数据权限的表需有belong_dept, create_by, update_by字段(部门, 创建人, 编辑人)
传入user, obj实例
"""
roles = user.roles
data_range = roles.values_list('datas', flat=True)
if '全部' in data_range:
return True
elif '自定义' in data_range:
if roles.depts.exists():
if obj.belong_dept not in roles.depts:
return False
elif '同级及以下' in data_range:
if user.dept.parent:
belong_depts = get_child_queryset2(user.dept.parent)
if obj.belong_dept not in belong_depts:
return False
elif '本级及以下' in data_range:
belong_depts = get_child_queryset2(user.dept)
if obj.belong_dept not in belong_depts:
return False
elif '本级' in data_range:
if obj.belong_dept is not user.dept:
return False
return True
def rbac_filter_queryset(user, queryset):
"""
数据权限控权返回的queryset方法
需要控数据权限的表需有belong_dept, create_by, update_by字段(部门, 创建人, 编辑人)
传入user实例,queryset
"""
roles = user.roles
data_range = roles.values_list('datas', flat=True)
if hasattr(queryset.model, 'belong_dept'):
if '全部' in data_range:
return queryset
elif '自定义' in data_range:
if roles.depts.exists():
queryset = queryset.filter(belong_dept__in=roles.depts)
return queryset
elif '同级及以下' in data_range:
if user.dept.parent:
belong_depts = get_child_queryset2(user.dept.parent)
queryset = queryset.filter(belong_dept__in=belong_depts)
return queryset
elif '本级及以下' in data_range:
belong_depts = get_child_queryset2(user.dept)
queryset = queryset.filter(belong_dept__in=belong_depts)
return queryset
elif '本级' in data_range:
queryset = queryset.filter(belong_dept=user.dept)
return queryset
elif '仅本人' in data_range:
queryset = queryset.filter(Q(create_by=user) | Q(update_by=user))
return queryset
return queryset
def get_queryset(self):
assert self.queryset is not None, (
"'%s' should either include a `queryset` attribute, "
"or override the `get_queryset()` method." %
self.__class__.__name__)
queryset = self.queryset
if isinstance(queryset, QuerySet):
# Ensure queryset is re-evaluated on each request.
queryset = queryset.all()
if hasattr(self.get_serializer_class(), 'setup_eager_loading'):
queryset = self.get_serializer_class().setup_eager_loading(
queryset) # 性能优化
if self.request.user.is_superuser:
return queryset
if hasattr(queryset.model, 'belong_dept'):
user = self.request.user
roles = user.roles
data_range = roles.values_list('datas', flat=True)
if '全部' in data_range:
return queryset
elif '自定义' in data_range:
if roles.depts.exists():
queryset = queryset.filter(belong_dept__in=roles.depts)
return queryset
elif '同级及以下' in data_range:
if user.dept.parent:
belong_depts = get_child_queryset2(user.dept.parent)
queryset = queryset.filter(belong_dept__in=belong_depts)
return queryset
elif '本级及以下' in data_range:
belong_depts = get_child_queryset2(user.dept)
queryset = queryset.filter(belong_dept__in=belong_depts)
return queryset
elif '本级' in data_range:
queryset = queryset.filter(belong_dept=user.dept)
return queryset
elif '仅本人' in data_range:
queryset = queryset.filter(
Q(create_by=user) | Q(update_by=user))
return queryset
return queryset
def get_queryset(self):
queryset = self.queryset
if hasattr(self.get_serializer_class(), 'setup_eager_loading'):
queryset = self.get_serializer_class().setup_eager_loading(queryset) # 性能优化
dept = self.request.query_params.get('dept', None) # 该部门及其子部门所有员工
if dept is not None:
deptqueryset = get_child_queryset2(Organization.objects.get(pk=dept))
queryset = queryset.filter(dept__in=deptqueryset)
return queryset