我正在寻找有关我的应用程序的帮助。首先是示例代码(从大约 2k 行中删除...),稍后我将尝试解释我要查找的内容:
from google.appengine.ext import ndb
import webapp2
import json
class User(ndb.Model):
company_ = ndb.KeyProperty(repeated=True)
@property
def company(self):
return {} if not self.company_ else self.company_
@company.setter
def company(self, value):
if value:
self.company_ = self.company_.expand(value) if self.company_ else [value]
else:
self.company_ = []
self.put()
class Company(ndb.Model):
administrator = ndb.KeyProperty(kind=User, repeated=True)
manager = ndb.KeyProperty(kind=User, repeated=True)
# FAKE decorator
@staticmethod
def administrator(handler):
def check_requirements(self, *a, **kw):
if True:
return
else:
return handler(self, *a, **kw)
return check_requirements
class BaseHandler(webapp2.RequestHandler):
def jwrite(self, **kw):
return self.response.out.write( json.dumps(kw) )
class require(BaseHandler):
@staticmethod
def login(handler):
def check_requirements(self, *a, **kw):
if not self.auth.get_user_by_session():
self.redirect('/', abort=True)
else:
return handler(self, *a, **kw)
return check_requirements
class ApiHandler(BaseHandler):
@require.login
def post(self, model, action, key=''):
method = '_post_%s' % model
try:
getattr(self, method)(action, key)
except Exception as error:
return self.jwrite( error = error)
def _post_company(self, action, key):
if action == 'create':
data = dict(self.request.POST)
""" Company.create( data ) method:
Populates Company instance with POST data.
Assigns first user that created the company
both administrator and manager roles.
"""
key_ = Company.create( data )
if key_:
self.user.company = key_
return
elif action == 'delete':
@Company.administrator
def delete_all_user_companies(self):
ndb.delete_multi( self.user.company )
self.user.company = None
return
companies = ndb.get_multi( self.user.company )
if self.user.key in map( lambda c: c.administrator, companies):
delete_all_user_companies(self)
elif action == 'update':
@Company.manager
def update_company(self, key):
data = dict(self.request.POST)
""" Company.update( key, data ) method:
Populates Company instance with POST data
"""
key_ = Company.update( key, data )
if key_:
return
company = ndb.Key(Company, key).get()
if self.user.key in company.manager.extend(company.administrator):
update_company(self)
如您所见,我有用户和公司模型。用户可以拥有多个公司,公司可以拥有多个用户,这些用户可以是管理员或经理。您会注意到一些装饰器和嵌套函数 - 其中大多数都是假的 (; 但这就是我正在寻找的......
我正在使用 @require.login 装饰器进行基本的登录检查(我将其放在单独的类中,只是因为它在代码中看起来更干净 - @require.login 与 @BaseHandler.require_login )。有了它,我已经“保护”了 API 的 post 方法,现在我需要对角色进行额外的检查 - 管理员可以做一些经理不能做的事情。我需要在其他几个地方进行此检查,所以我认为这对于装饰器函数来说是一个好地方,但我不知道如何编写它们。我的第一个问题是:
什么地方适合这个装饰器?我应该将它放在 Company 类中还是 ApiHandler 类中的某个位置?我的第一直觉是将它放在 Company 类中,但我不确定如何处理范围 - 我需要以某种方式在那里获取用户实例(self.user.company 列表)...
接下来是manager装饰器。我如何将其写为装饰器:
company = ndb.Key(Company, key).get() if self.user.key in company.manager.extend(company.administrator): update_company(self)并将其用作@Company.manager或@requre.manager,具体取决于我第一个问题的答案?
管理员的另一个装饰器有点复杂 - 我必须检查用户是否是其所有公司的管理员,并删除他在的公司的管理员,同时保留他不在的公司的管理员:
companies = ndb.get_multi( self.user.company ) if self.user.key in map( lambda c: c.administrator, companies ): delete_all_user_companies(self)我什至不确定这个map()函数是否正确以及代码是否可以工作,还没有尝试过 - 现在它只是一个伪代码占位符......
最后一个问题:我应该担心 POST 请求黑客攻击吗?根据上面的示例代码,是否有可能某些用户可以发出自定义 POST 请求并删除或更新不属于他的公司?
任何帮助、评论或见解将不胜感激(;谢谢!
最佳答案
我相信我已经解决了这个问题:
from google.appengine.ext import ndb
import webapp2
import json
class User(ndb.Model):
company_ = ndb.KeyProperty(repeated=True)
@property
def company(self):
return {} if not self.company_ else self.company_
@company.setter
def company(self, value):
if value:
# self.company_ = self.company_.expand(value) if self.company_ else [value]
# Lists mutate when expanded. Code above was returning None
self.company_ = self.company_ + [value] if self.company_ else [value]
else:
self.company_ = []
self.put()
class Company(ndb.Model):
administrator = ndb.KeyProperty(kind=User, repeated=True)
manager = ndb.KeyProperty(kind=User, repeated=True)
class BaseHandler(webapp2.RequestHandler):
def jwrite(self, **kw):
return self.response.out.write( json.dumps(kw) )
class require(BaseHandler):
@staticmethod
def login(handler):
def check_requirements(self, *a, **kw):
if not self.auth.get_user_by_session():
self.redirect('/', abort=True)
else:
return handler(self, *a, **kw)
return check_requirements
class role(BaseHandler):
@staticmethod
def administrator(handler):
def check_requirements(self, *a, **kw):
# I didn't care much about optimizing queries
# since this isn't frequent operation.
# For more frequent calls, I'd consider projections.
companies = ndb.get_multi( *a )
# Next lines checks if current user is administrator
# for all companies passed to the function
if not self.user.key in reduce(lambda x, y: x if x != y else y, map(lambda c: c.administrator, companies)):
return self.jwrite( error = 'Permission denied. Administrator required.' )
else:
return handler(self, *a, **kw)
return check_requirements
@staticmethod
def manager(handler):
def check_requirements(self, *a, **kw):
companies = ndb.get_multi( *a )
# Next lines checks if current user is manager
# or administrator (since admin has higher privileges)
# for all companies passed to the function
if not self.user.key in reduce(lambda x, y: x if x != y else y, map(lambda c: c.manager + c.administrator, companies)):
return self.jwrite( error = 'Permission denied. Manager or Administrator required.' )
else:
return handler(self, *a, **kw)
return check_requirements
class ApiHandler(BaseHandler):
@require.login
def post(self, model, action, key=''):
method = '_post_%s' % model
try:
getattr(self, method)(action, key)
except Exception as error:
return self.jwrite( error = error)
def _post_company(self, action, key):
if action == 'create':
data = dict(self.request.POST)
""" Company.create( data ) method:
Populates Company instance with POST data.
Assigns first user that created the company
both administrator and manager roles.
"""
key_ = Company.create( data )
if key_:
self.user.company = key_
return
elif action == 'delete':
@role.administrator
def delete_all_user_companies(self, *a):
ndb.delete_multi( *a )
self.user.company = None
return
delete_all_user_companies( self, self.user.company )
elif action == 'update':
@role.manager
def update_company(self, *a ):
data = dict(self.request.POST)
""" Company.update( key, data ) method:
Populates Company instance with POST data
"""
key_ = Company.update( key, data )
if key_:
return
update_company(self, ndb.Key(Company, key))
并回答我自己的问题:
我在 Company 类内部命名时遇到了问题 - 属性管理员和装饰者具有相同的名称。因此,为了方便起见,我将装饰器移至 API 中,移至新类(角色)中。当我编写装饰器时,我意识到我可以将它们用于任何其他模型(带有经理和管理员字段),所以我想这是一个很好的选择(;
编写装饰器花了一些时间并尝试映射和减少数组,但我已经成功地完成了。我不确定是否将参数传递给装饰器。也许我应该在装饰器之外进行查询?或者将匹配的项目传递给处理函数?我得调查一下……
...并删除他所在的位置,同时保留他不是管理员的位置 这就是我首先在装饰器内进行查询的原因。但仍不确定它是否聪明(;
我仍然可以使用这个问题的答案。
希望这对某人有帮助......
关于python - ndb 模型、装饰器、嵌套函数,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/16796558/