如何阻止 django 中其他登录用户的页面访问?
How to block page access to other logged in user in django?
我正在尝试阻止登录用户访问其他用户更新个人资料页面。
我的情况:
假设 A 登录了他的个人资料,并且他知道其他用户更新个人资料 URl。在这种情况下,他可以简单地访问其他用户的更新配置文件 url。
所以,在这里我想将此限制限制为仅对同一登录用户更新他们的个人资料。
这是我更新配置文件的代码:
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if request.method == "POST":
form = UpdateProfileForm(request.POST, request.FILES, instance=user)
if form.is_valid():
profile_pic = form.cleaned_data['profile_pic']
form.profile_pic = profile_pic
form.save()
messages.success(request,"Data Updated successfully")
return HttpResponseRedirect(reverse('updateaddress', args=(request.user.profile.slug,)))
else:
messages.error(request, "Please check all fields are valid")
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
else:
form = UpdateProfileForm(instance=user)
context = {
'user':user,
'form':form,
}
return render(request, "authentication/register/update/profile.html",context)
urls.py
path("<slug:slug>/update-profile/", UpdateProfile, name="updateprofile"),
你可以这样做:
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if user.id == request.user.id:
# do something if the id of user you get from the slug matches the actual user id
if request.method == "POST":
form = UpdateProfileForm(request.POST, request.FILES, instance=user)
if form.is_valid():
# yada yada yada
你可以像下面这样比较用户对象
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if user != request.user:
message.info("You can't update the other user profile")
return
如 django 文档中所述:-
https://docs.djangoproject.com/en/4.0/topics/db/queries/#comparing-objects
你可以在装饰器中尝试这样的东西
def verify_user_profile(view_func):
def wrapper_func(request, *args, **Kwargs):
user = Profile.objects.get(slug=args[0])
if user != request.user:
return
else:
return view_func(request, *args, **Kwargs)
return wrapper_func
查看通话将是:-
@verify_user_profile
@login_required
def UpdateProfile(request, slug):
...
...
我正在尝试阻止登录用户访问其他用户更新个人资料页面。
我的情况:
假设 A 登录了他的个人资料,并且他知道其他用户更新个人资料 URl。在这种情况下,他可以简单地访问其他用户的更新配置文件 url。 所以,在这里我想将此限制限制为仅对同一登录用户更新他们的个人资料。
这是我更新配置文件的代码:
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if request.method == "POST":
form = UpdateProfileForm(request.POST, request.FILES, instance=user)
if form.is_valid():
profile_pic = form.cleaned_data['profile_pic']
form.profile_pic = profile_pic
form.save()
messages.success(request,"Data Updated successfully")
return HttpResponseRedirect(reverse('updateaddress', args=(request.user.profile.slug,)))
else:
messages.error(request, "Please check all fields are valid")
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
else:
form = UpdateProfileForm(instance=user)
context = {
'user':user,
'form':form,
}
return render(request, "authentication/register/update/profile.html",context)
urls.py
path("<slug:slug>/update-profile/", UpdateProfile, name="updateprofile"),
你可以这样做:
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if user.id == request.user.id:
# do something if the id of user you get from the slug matches the actual user id
if request.method == "POST":
form = UpdateProfileForm(request.POST, request.FILES, instance=user)
if form.is_valid():
# yada yada yada
你可以像下面这样比较用户对象
@login_required
def UpdateProfile(request, slug):
user = Profile.objects.get(slug=slug)
if user != request.user:
message.info("You can't update the other user profile")
return
如 django 文档中所述:- https://docs.djangoproject.com/en/4.0/topics/db/queries/#comparing-objects
你可以在装饰器中尝试这样的东西
def verify_user_profile(view_func):
def wrapper_func(request, *args, **Kwargs):
user = Profile.objects.get(slug=args[0])
if user != request.user:
return
else:
return view_func(request, *args, **Kwargs)
return wrapper_func
查看通话将是:-
@verify_user_profile
@login_required
def UpdateProfile(request, slug):
...
...