test: 列权限测试

2023-08-08 16:31:55 +08:00
parent 478aea32f1
commit 2722631276
2 changed files with 39 additions and 3 deletions
--- a/backend/dvadmin/utils/viewset.py
+++ b/backend/dvadmin/utils/viewset.py
@@ -16,6 +16,8 @@ from dvadmin.utils.filters import DataLevelPermissionsFilter
 from dvadmin.utils.import_export_mixin import ExportSerializerMixin, ImportSerializerMixin
 from dvadmin.utils.json_response import SuccessResponse, ErrorResponse, DetailResponse
 from dvadmin.utils.permission import CustomPermission
+from dvadmin.utils.models import get_custom_app_models
+from dvadmin.system.models import Columns
 from django_restql.mixins import QueryArgumentsMixin


@@ -61,12 +63,45 @@ class CustomModelViewSet(ModelViewSet, ImportSerializerMixin, ExportSerializerMi
    def get_serializer(self, *args, **kwargs):
        serializer_class = self.get_serializer_class()
        kwargs.setdefault('context', self.get_serializer_context())
+        # 全部以可见字段为准
+        can_see = self.get_column_permission(serializer_class)
+        # 排除掉序列化器级的字段
+        # sub_set = set(serializer_class._declared_fields.keys()) - set(can_see)
+        # for field in sub_set:
+        #     serializer_class._declared_fields.pop(field)
+        # if not self.request.user.is_superuser:
+        #     serializer_class.Meta.fields = can_see
+        # 在分页器中使用
+        self.request.permission_fields = can_see
        if isinstance(self.request.data, list):
            with transaction.atomic():
                return serializer_class(many=True, *args, **kwargs)
        else:
            return serializer_class(*args, **kwargs)

+    def get_column_permission(self, serializer_class):
+        """获取列权限"""
+        action_map = {
+            'list': 'is_query',
+            'retrieve': 'is_query',
+            'create': 'is_create',
+            'update': 'is_update'
+        }
+        finded = False
+        for app in get_custom_app_models():
+            for model in app:
+                if model['object'] is serializer_class.Meta.model:
+                    finded = True
+                    break
+            if finded:
+                break
+        if finded is False:
+            return []
+        column_permission = Columns.objects.filter(app=model['app'], model=model['model'])
+        if self.action in action_map:
+            return [obj.field_name for obj in column_permission if getattr(obj, action_map[self.action])]
+        return []
+
    def create(self, request, *args, **kwargs):
        serializer = self.get_serializer(data=request.data, request=request)
        serializer.is_valid(raise_exception=True)