def has_permission(self, request, view): # print(request.query_params) if request.user.is_staff: return True pk = request.data.get('course', None) if pk is None: pk = request.data.get('pk', None) if pk is None: pk = request.data.get('id', None) if pk is None: pk = dict(request.query_params).get('courses[]', None) if pk is not None: pk = int(pk[0]) print("course pk={}".format(pk)) if super().has_permission(request, view) and pk is not None: course = Course.objects.get(pk=pk) try: role = UserRole.get(user=request.user, course=course).role perm = Permission.get(codename='view_question') print(role.permissions.all()) print(perm) if perm in role.permissions.all(): return True except UserRole.DoesNotExist: pass return False
def filter_data_by_user_and_perm(query_set, user, perm): ''' API 目前暂无地方调用 根据用户user的角色和权限对记录集query_set进行过滤,返回其中用户具有perm权限的记录集 ''' model=query_set.model ct=ContentType.objects.get_for_model(model) if isinstance(perm, Permission): p=perm else: p=Permission.get(content_type=ct, codename=perm) q=models.Q(pk__in=[]) for ur in user_role.objects.filter(user=user): #检查该用户的所有角色 if p in ur.role.permissions.all(): f=model_owner_rel(ur.role.object_type.model, model) #得到该角色对应的对象数据查询条件 if f: q|=models.Q(**{f:ur.object_id}) return query_set.filter(q)
def has_permission(self, request, view): user = request.user if super().has_permission(request, view) is False: return False if user.is_staff: return True pk = view.kwargs.get('course_id', None) if pk is None: pk = view.kwargs.get('pk', None) print("course pk={}".format(pk)) if pk is not None: course = Course.objects.get(pk=pk) try: role = UserRole.objects.get(user=user, course=course).role perm = Permission.get(codename='') if perm in role.permissions.all(): return True except UserRole.DoesNotExist: pass return False
def get_quizzes_attempt_by_quiz_id(request, quiz_id): ''' permission: admin sees all attempts instructor sees their courses attempts student sees their own attempts ''' student = request.user quiz = get_object_or_404(Quiz, pk=quiz_id) if request.user.is_staff: attempts = Attempt.objects.filter(quiz=quiz) else: role = get_object_or_404(UserRole, user=request.user, course=quiz.course).role perm = Permission.get(codename='view_attempt') if perm in role.permissions.all(): attempts = Attempt.objects.filter(quiz=quiz) else: attempts = Attempt.objects.filter(student=student, quiz=quiz) data = {"quiz_attempts": [serilizer_quiz_attempt(attempt) for attempt in attempts]} return HttpResponse(status=200, data=data)