如何限制未经授权的用户访问django中的不同页面
How to restrict unauthorized user to have access to different pages in django
我有这个型号:
class Student(Model):
user = OneToOneField(CustomUser, on_delete=CASCADE, related_name='student', )
和这个 url:
path('students/<int:student_pk>/', student, name='student')
和这个观点:
@login_required
def student(request, student_pk):
return HttpResponse('This is your personal panel')
嗯,通过使用 login_required 修饰,我限制未登录的用户查看学生面板页面。但是,其他登录的同学可以看到其他人的面板。
我怎样才能限制他们这样做?
我能做到:
@login_required
def student(request, student_pk):
student_ins = get_object_or_404(Student, pk=student_pk)
if student_ins == request.user.student:
return HttpResponse('This is your personal panel')
else:
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
不过,我更喜欢在装饰器中完成。例如,如果 he/she 在 url 中输入此内容,则注销主键 pk=1 的已登录学生:www.example.com/students/2
试试这个:
from django.contrib.auth import logout
def check_profile(function):
@wraps(function)
def wrap(request, *args, **kwargs):
user = request.user
student_ins = get_object_or_404(Student, pk=kwargs.get(student_pk))
if not student_ins == user:
logout(request)
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
return wrap
并像这样使用:
@check_profile
@login_required
def student(request, student_pk):
#...
这应该可以满足您的需求,但请记住,这通常不是一个好主意,除非您有非常特殊的用例。基本上,你应该做的是像 /profile/ 这样的 url 并根据 request.user 显示用户配置文件;这是更简洁的方式。
我有这个型号:
class Student(Model):
user = OneToOneField(CustomUser, on_delete=CASCADE, related_name='student', )
和这个 url:
path('students/<int:student_pk>/', student, name='student')
和这个观点:
@login_required
def student(request, student_pk):
return HttpResponse('This is your personal panel')
嗯,通过使用 login_required 修饰,我限制未登录的用户查看学生面板页面。但是,其他登录的同学可以看到其他人的面板。
我怎样才能限制他们这样做?
我能做到:
@login_required
def student(request, student_pk):
student_ins = get_object_or_404(Student, pk=student_pk)
if student_ins == request.user.student:
return HttpResponse('This is your personal panel')
else:
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
不过,我更喜欢在装饰器中完成。例如,如果 he/she 在 url 中输入此内容,则注销主键 pk=1 的已登录学生:www.example.com/students/2
试试这个:
from django.contrib.auth import logout
def check_profile(function):
@wraps(function)
def wrap(request, *args, **kwargs):
user = request.user
student_ins = get_object_or_404(Student, pk=kwargs.get(student_pk))
if not student_ins == user:
logout(request)
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
return wrap
并像这样使用:
@check_profile
@login_required
def student(request, student_pk):
#...
这应该可以满足您的需求,但请记住,这通常不是一个好主意,除非您有非常特殊的用例。基本上,你应该做的是像 /profile/ 这样的 url 并根据 request.user 显示用户配置文件;这是更简洁的方式。