django-fsm:权限不引发异常
django-fsm: Permissions not raising exception
我的源和目标基于规则的过渡装饰器在 django-fsm(有限状态机)中运行良好。现在我正在尝试添加权限处理。这看起来很简单,但似乎无论我做什么,转换都会执行,无论用户是否有权限。根据文档,我尝试过使用 Django 权限字符串,并且尝试过使用 lambda。这些我都试过了:
@transition(field=state, source='prog', target='appr', permission='claims.change_claim')
和
@transition(field=state, source='prog', target='appr', permission=lambda instance, user: not user.has_perm('claims.change_claim'),)
并且,作为双重检查,因为 permission 应该响应任何可调用的返回 True/False,简单地:
@transition(field=state, source='prog', target='appr', permission=False)
def approve(self):
应该在访问转换时为所有用户提出TransitionNotAllowed。但是不会 - 即使没有权限的基本用户仍然可以执行转换 (claim.approve())。
为了证明我的权限字符串是正确的:
print(has_transition_perm(claim.approve, request.user))
打印错误。我正在按如下方式进行验证(适用于 source/target):
class ClaimEditForm(forms.ModelForm):
'''
Some users can transition claims through allowable states
'''
def clean_state(self):
state = self.cleaned_data['state']
if state == 'appr':
try:
self.instance.approve()
except TransitionNotAllowed:
raise forms.ValidationError("Claim could not be approved")
return state
class Meta:
model = Claim
fields = (
'state',
)
并且视图处理程序是标准的:
if request.method == "POST":
claim_edit_form = ClaimEditForm(request.POST, instance=claim)
if claim_edit_form.is_valid(): # Validate transition rules
我错过了什么?谢谢。
问题原来是 permission 属性 的验证与 source/target 验证器不同。您必须在代码的其他地方评估在装饰器中建立的权限,而不是装饰器引发错误。因此,要从表单执行权限验证,您需要传入用户对象,在表单的 init 中接收用户,然后与 has_transition_perm 的结果进行比较。所以这有效:
# model
@transition(field=state, source='prog', target='appr', permission='claims.change_claim')
def approve(self):
....
# view
if request.method == "POST":
claim_edit_form = ClaimEditForm(request.user, request.POST, instance=claim)
....
# form
from django_fsm import has_transition_perm
class ClaimEditForm(forms.ModelForm):
'''
Some users can transition claims through allowable states
(see permission property on claim.approve() decorator)
'''
def __init__(self, user, *args, **kwargs):
# We need to pass the user into the form to validate permissions
self.user = user
super(ClaimEditForm, self).__init__(*args, **kwargs)
def clean_state(self):
state = self.cleaned_data['state']
if state == 'appr':
if not has_transition_perm(self.instance.approve, self.user):
raise forms.ValidationError("You do not have permission for this transition")
我的源和目标基于规则的过渡装饰器在 django-fsm(有限状态机)中运行良好。现在我正在尝试添加权限处理。这看起来很简单,但似乎无论我做什么,转换都会执行,无论用户是否有权限。根据文档,我尝试过使用 Django 权限字符串,并且尝试过使用 lambda。这些我都试过了:
@transition(field=state, source='prog', target='appr', permission='claims.change_claim')
和
@transition(field=state, source='prog', target='appr', permission=lambda instance, user: not user.has_perm('claims.change_claim'),)
并且,作为双重检查,因为 permission 应该响应任何可调用的返回 True/False,简单地:
@transition(field=state, source='prog', target='appr', permission=False)
def approve(self):
应该在访问转换时为所有用户提出TransitionNotAllowed。但是不会 - 即使没有权限的基本用户仍然可以执行转换 (claim.approve())。
为了证明我的权限字符串是正确的:
print(has_transition_perm(claim.approve, request.user))
打印错误。我正在按如下方式进行验证(适用于 source/target):
class ClaimEditForm(forms.ModelForm):
'''
Some users can transition claims through allowable states
'''
def clean_state(self):
state = self.cleaned_data['state']
if state == 'appr':
try:
self.instance.approve()
except TransitionNotAllowed:
raise forms.ValidationError("Claim could not be approved")
return state
class Meta:
model = Claim
fields = (
'state',
)
并且视图处理程序是标准的:
if request.method == "POST":
claim_edit_form = ClaimEditForm(request.POST, instance=claim)
if claim_edit_form.is_valid(): # Validate transition rules
我错过了什么?谢谢。
问题原来是 permission 属性 的验证与 source/target 验证器不同。您必须在代码的其他地方评估在装饰器中建立的权限,而不是装饰器引发错误。因此,要从表单执行权限验证,您需要传入用户对象,在表单的 init 中接收用户,然后与 has_transition_perm 的结果进行比较。所以这有效:
# model
@transition(field=state, source='prog', target='appr', permission='claims.change_claim')
def approve(self):
....
# view
if request.method == "POST":
claim_edit_form = ClaimEditForm(request.user, request.POST, instance=claim)
....
# form
from django_fsm import has_transition_perm
class ClaimEditForm(forms.ModelForm):
'''
Some users can transition claims through allowable states
(see permission property on claim.approve() decorator)
'''
def __init__(self, user, *args, **kwargs):
# We need to pass the user into the form to validate permissions
self.user = user
super(ClaimEditForm, self).__init__(*args, **kwargs)
def clean_state(self):
state = self.cleaned_data['state']
if state == 'appr':
if not has_transition_perm(self.instance.approve, self.user):
raise forms.ValidationError("You do not have permission for this transition")