我正在使用Django中的自定义构建装饰器。
我的decorators.py:
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.contrib.auth.decorators import user_passes_test
def industry_required(function=None, redirect_field_name=REDIRECT_FIELD_NAME, login_url='app2:request_login'):
actual_decorator = user_passes_test(
lambda u: u.is_active and u.is_Industry,
login_url=login_url,
redirect_field_name=redirect_field_name
)
if function:
return actual_decorator(function)
return actual_decorator
这is_Industry是一个布尔值,来自models.py。
我的views.py:
@method_decorator(industry_required, name='dispatch')
class industryDetails(DetailView):
model = Industry
template_name = 'app/industryDetails.html'
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['inserted_text'] = "inserted text from EmployeeDetails of views.py"
return context
在urls.py中:
path('industryDetails/<int:pk>/', views.industryDetails.as_view(), name='industryDetails')
如果需要,还包括models.py:
class myCustomeUser(AbstractUser):
id = models.AutoField(primary_key=True)
username = models.CharField(max_length=20, unique="True", blank=False)
password = models.CharField(max_length=20, blank=False)
is_Employee = models.BooleanField(default=False)
is_Inspector = models.BooleanField(default=False)
is_Industry = models.BooleanField(default=False)
is_Admin = models.BooleanField(default=False)
class Industry(models.Model):
user = models.OneToOneField(myCustomeUser, on_delete=models.CASCADE, primary_key=True, related_name='industry_releted_user')
name = models.CharField(max_length=200, blank=True)
owner = models.CharField(max_length=200, blank=True)
license = models.IntegerField(null=True, unique=True)
industry_extrafield = models.TextField(blank=True)
现在我的问题是,假设具有的用户primary_key=3可以primary_key=2通过使用http://127.0.0.1:8000/industryDetails/2/(通过更改此地址路径中的主键)轻松访问具有的其他用户的数据。我需要停止这个项目。如何以任何用户只能访问自己的详细信息的方式对此进行编码?
这与装饰器本身无关,您只需要过滤阻止人们访问另一个装饰器Industry,所以:
@method_decorator(industry_required, name='dispatch')
class industryDetails(LoginRequiredMixin, DetailView):
model = Industry
template_name = 'app/industryDetails.html'
def get_queryset(self):
return Industry.objects.filter(user=self.request.user)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['inserted_text'] = "inserted text from EmployeeDetails of views.py"
return context由于每个用户都可以但是最多有一个 Industry,你也许应该不添加主键的URL。因此,您可以定义如下路径:
path('industryDetails/', views.industryDetails.as_view(), name='industryDetails')并在视图中覆盖该get_object方法:
from django.shortcuts import get_object_or_404
@method_decorator(industry_required, name='dispatch')
class industryDetails(LoginRequiredMixin, DetailView):
model = Industry
template_name = 'app/industryDetails.html'
def get_object(self):
return get_object_or_404(Industry, user=self.request.user)
def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs)
context['inserted_text'] = "inserted text from EmployeeDetails of views.py"
return context本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句