我有这个模特:
class Student(Model):
user = OneToOneField(CustomUser, on_delete=CASCADE, related_name='student', )
和此网址:
path('students/<int:student_pk>/', student, name='student')
和此视图:
@login_required
def student(request, student_pk):
return HttpResponse('This is your personal panel')
嗯,通过使用login_required装饰,我限制了未登录的用户才能查看学生面板页面。但是,其他登录的学生可以看到其他人的面板。
如何限制他们呢?
我可以这样做:
@login_required
def student(request, student_pk):
student_ins = get_object_or_404(Student, pk=student_pk)
if student_ins == request.user.student:
return HttpResponse('This is your personal panel')
else:
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
但是,我更喜欢在装饰器中做。例如,如果登录的学生在URL中输入了主键pk = 1,则注销该登录的学生:www.example.com/students/2
尝试一下:
from django.contrib.auth import logout
def check_profile(function):
@wraps(function)
def wrap(request, *args, **kwargs):
user = request.user
student_ins = get_object_or_404(Student, pk=kwargs.get(student_pk))
if not student_ins == user:
logout(request)
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
return wrap
并像这样使用:
@check_profile
@login_required
def student(request, student_pk):
#...