django - 如何定义 django 视图的权限?
问题描述
我有这些模型:
class Author(Model):
user = OneToOneField(User, on_delete=CASCADE)
# Fields
class Post(Model):
author = ForeignKey(Author, on_delete=CASCADE)
title = models.CharField(max_length=200)
text = models.TextField()
和一些观点如下:
def authors(request)
authors = Authors.objects.all()
return render(request, 'authors.html', {'authors': authors})
作者的视图有一个对应的url路径如下:
path('authors/', authors, name='authors')
在authors.html中,我循环遍历作者,对于每个作者,我都有一个链接,将作者主键发送到作者网址并查看:
{% for author in authors%}
<a href="{% url 'author' author_pk=author.pk %}"{{author.user.email}}</a><br><br>
{% endfor %}
好的; 每个人都可以看到作者列表。
然后我有作者网址路径如下:
path('authors/<int:author_pk>/', author, name='author')
path('authors/<int:author_pk>/<int:post_pk>/delete/', author_delete_post, name='author_delete_post')
我有作者视图,其中显示了每个作者发布的帖子和一个删除它的按钮。
def author(request, author_pk)
author=get_object_or_404(Author, pk=author_pk)
author_posts = Post.objects.filter(author=author)
return render(request, 'author.html', {'author_posts': author_posts}
@login_required
def author_delete_post(request, author_pk, post_pk):
author=get_object_or_404(Author, pk=author_pk)
author_post = Post.objects.get(author=author, pk=post_pk) # I know that author=author is redundent but it makes no problem
author_post.delete()
return redirect(author, author_pk)
此作者模板:
{% for author_post in author_posts %}
{{author_post.title}}<br>
{% if user.is_authenticated and author.user == user %}
<a href="{% url 'author_delete_post' author_pk=author_post.author.pk post_pk=author_post.pk %}">Delete</a><br><br><br>
{% endif %}
{% endfor %}
我让那些登录并在他们自己的页面中的作者能够看到删除按钮。这有点像 facebook,用户只能删除他/她的帖子,而不是其他人的帖子。
我的问题:假设有另一个 pk=1 并已登录。虽然他/她在此页面中时看不到删除按钮:
'/authors/2/'
他/她可以使用 url 并删除另一个用户的帖子pk=2
'authors/2/10/delete/'
我怎么解决这个问题?
解决方案
您可以使用request.user
来检查对象是否属于登录用户
此外,您不需要添加author_pk
. 你可以得到作者author = get_object_or_404(Author, user=request.user)
@login_required
def author_delete_post(request, post_pk):
author = get_object_or_404(Author, user=request.user)
author_post = Post.objects.get(author=author, pk=post_pk) # I know that author=author is redundent but it makes no problem
# check if the post belongs to the logged in user
if author_post.author.user == request.user:
# delete here
return redirect(author, author.pk)
推荐阅读
- web-crawler - 网站如何知道它是无头 Puppeteer?
- linux - 如何仅下载以某个值开头并以其他值结尾的文件?
- r - 基于R中多列的唯一组合对行进行编号
- azure-cosmosdb - 选择 IN 查询 cosmos DB
- android - 无法提供 Dagger Component.Factory
- excel - 通过解析将数据从 Outlook 导出到 Excel
- node.js - 如何从 Node.Js 应用程序中处理 Express 4 中的错误?
- java - Java ee 批处理:CWWKY0030I:运行步骤时发生异常
- c# - 关闭 C# Windows 窗体应用程序时重置模态窗体
- python - 数据框扩展窗口和应用多种功能