我正在使用Django 1.9。当我尝试将PermissionRequiredMixin添加到基于类的视图时,它似乎不像预期的那样工作。我在auth_group中创建了一个新用户。此auth_group没有任何应用程序或模型的权限。这个新用户不是超级用户或管理员用户。但该应用程序不会阻止此用户访问需要permission_required的特定视图。Django - PermissionRequiredMixin与自定义用户模型以及AUTHENTICATION_BACKENDS
首先,这里是我试图以确保用户没有权限:
user.get_all_permissions() # return set() - empty permission, which is correct.
user.is_superuser # return false, which is correct.
user.has_perm('myapp.add_something or even any words that make no sense') # always return true, which is very weird.
应用程序有自定义的用户模型,并且也使用Django的allauth作为AUTHENTICATION_BACKENDS。我不确定PermissionRequiredMixin是否会检查user.has_perm()并且它总是返回true,所以这就是为什么检查权限无法按预期工作的原因?
# views.py
class My_View(PermissionRequiredMixin, View):
permission_required = 'polls.can_vote'
def get(self, request, *args, **kwargs):
# do something...
return render(request, "template.html", {})
# models.py - Custom User Model
class CustomUser(AbstractBaseUser, PermissionsMixin):
email = models.EmailField(
verbose_name='email address',
max_length=255,
unique=True,
)
group = models.ManyToManyField(Group, through='UserGroupRelationship')
....
# models.py - many-to-many relationship between user and group
class UserGroupRelationship(models.Model):
user = models.ForeignKey("CustomUser")
user_group = models.ForeignKey(Group)
我也尝试了旧的方式来检查urls.py的权限。它不阻止用户访问,所以我不认为这是使用PermissionRequiredMixin的问题。
urlpatterns = patterns('',
(r'^vote/', permission_required('polls.can_vote')(VoteView.as_view())),
)
我也搜索了几天,感谢上帝,我发现了这一点。我无法相信他们不会在文档中解释这一点 – diek