在 Django 应用程序中,如何防止用户删除不是由他们创建的内容?
In a django app, how do I prevent users from deleting content not created by them?
我创建了一个简单的问题应用程序,当点击问题时它会显示它的选项或choices.I制作登录和注册表单以进行用户登录。
我想知道如何限制用户删除仅由 them.Every 创建的问题 问题前面有一个删除键。
我阅读了大部分关于权限的资料,但不知道如何操作。
我可以申请不删除任何问题的权限,但如何限制用户不删除某些特定问题或不是他们创建的问题。
下面是 views.py
def addquestion(request):
item_to_add = request.POST['content']
item = Question.objects.create(question_text=item_to_add,pub_date=timezone.now())
user_now = Question(user = request.user)
item.save()
return HttpResponseRedirect('/home/questions')
def deletequestion(request,question_id):
item_to_delete = Question.objects.get(id=question_id)
if item_to_delete.user == request.user:
item_to_delete.delete()
else:
return HttpResponse('You are not authorised to delete this question')
这里是模型.py
from django.db import models
from vote.models import VoteModel
from django.contrib.auth.models import User
# Create your models here.
class Question(VoteModel,models.Model):
question_text = models.TextField(max_length=300)
pub_date = models.DateTimeField('date published')
user = models.OneToOneField(User,on_delete = models.CASCADE,null=True)
def __str__(self):
return self.question_text
class Choice(models.Model):
choice_text = models.CharField(max_length=300)
votes = models.IntegerField(default=0)
question = models.ForeignKey(Question,on_delete = models.CASCADE)
def __str__(self):
return self.choice_text
您应该过滤您的问题查询集:
from django.db.models import Q
...
try:
Question.objects.get(Q(id=question_id)&Q(user=request.user)).delete()
except Question.DoesNotExist:
raise PermissionDenied("User can't delete this question.")
...
Q 对象允许您对过滤器进行逻辑操作。
参考:https://docs.djangoproject.com/es/2.1/topics/db/queries/#complex-lookups-with-q-objects
更新:
正如评论中所指出的,在这种特殊情况下,您可以通过执行以下操作来实现:
try:
Question.objects.get(id=question_id, user=request.user).delete()
except Question.DoesNotExist:
raise PermissionDenied("User can't delete this question.")
也许 request.user 是一个包含用户 ID 的字符串,因此在与 item_to_dele.user 进行比较之前,您必须先获取该 ID 的用户对象。
logged_user = User.objects.get(id=request.user)
if logged_user == item_to_delete.user:
# delete
item_to_delete.delete()
else:
return HttpResponse('You are not authorised to delete this question')
我创建了一个简单的问题应用程序,当点击问题时它会显示它的选项或choices.I制作登录和注册表单以进行用户登录。
我想知道如何限制用户删除仅由 them.Every 创建的问题 问题前面有一个删除键。
我阅读了大部分关于权限的资料,但不知道如何操作。
我可以申请不删除任何问题的权限,但如何限制用户不删除某些特定问题或不是他们创建的问题。 下面是 views.py
def addquestion(request):
item_to_add = request.POST['content']
item = Question.objects.create(question_text=item_to_add,pub_date=timezone.now())
user_now = Question(user = request.user)
item.save()
return HttpResponseRedirect('/home/questions')
def deletequestion(request,question_id):
item_to_delete = Question.objects.get(id=question_id)
if item_to_delete.user == request.user:
item_to_delete.delete()
else:
return HttpResponse('You are not authorised to delete this question')
这里是模型.py
from django.db import models
from vote.models import VoteModel
from django.contrib.auth.models import User
# Create your models here.
class Question(VoteModel,models.Model):
question_text = models.TextField(max_length=300)
pub_date = models.DateTimeField('date published')
user = models.OneToOneField(User,on_delete = models.CASCADE,null=True)
def __str__(self):
return self.question_text
class Choice(models.Model):
choice_text = models.CharField(max_length=300)
votes = models.IntegerField(default=0)
question = models.ForeignKey(Question,on_delete = models.CASCADE)
def __str__(self):
return self.choice_text
您应该过滤您的问题查询集:
from django.db.models import Q
...
try:
Question.objects.get(Q(id=question_id)&Q(user=request.user)).delete()
except Question.DoesNotExist:
raise PermissionDenied("User can't delete this question.")
...
Q 对象允许您对过滤器进行逻辑操作。
参考:https://docs.djangoproject.com/es/2.1/topics/db/queries/#complex-lookups-with-q-objects
更新: 正如评论中所指出的,在这种特殊情况下,您可以通过执行以下操作来实现:
try:
Question.objects.get(id=question_id, user=request.user).delete()
except Question.DoesNotExist:
raise PermissionDenied("User can't delete this question.")
也许 request.user 是一个包含用户 ID 的字符串,因此在与 item_to_dele.user 进行比较之前,您必须先获取该 ID 的用户对象。
logged_user = User.objects.get(id=request.user)
if logged_user == item_to_delete.user:
# delete
item_to_delete.delete()
else:
return HttpResponse('You are not authorised to delete this question')