Flask用户角色与权限 #

一、角色与权限设计 #

1.1 RBAC模型 #

text

用户
    ↓
角色
    ↓
权限

1.2 数据模型 #

python

class Role(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String(50), unique=True)
    description = db.Column(db.String(200))
    users = db.relationship('User', backref='role')

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80))
    role_id = db.Column(db.Integer, db.ForeignKey('role.id'))

二、权限检查 #

2.1 角色检查 #

python

from functools import wraps
from flask import abort
from flask_login import current_user

def role_required(role_name):
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            if not current_user.is_authenticated:
                abort(401)
            if current_user.role.name != role_name:
                abort(403)
            return f(*args, **kwargs)
        return decorated_function
    return decorator

@app.route('/admin')
@role_required('admin')
def admin():
    return '管理面板'

2.2 权限检查 #

python

def permission_required(permission):
    def decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            if not current_user.can(permission):
                abort(403)
            return f(*args, **kwargs)
        return decorated_function
    return decorator

三、用户模型扩展 #

python

class User(UserMixin, db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80))
    role_id = db.Column(db.Integer, db.ForeignKey('role.id'))
    
    @property
    def is_admin(self):
        return self.role.name == 'admin'
    
    def can(self, permission):
        return self.role and permission in self.role.permissions

四、下一步 #

接下来让我们学习 API设计原则，了解RESTful API设计！