我怎样才能确保用户不会删除我网站中的另一个用户对象 [Django]
how can I ensure a user will not delete another user object in my website [Django]
我写了一个功能,允许用户删除他在博客网站上的文章。问题是,如果他稍微玩一下 url,他就可以访问另一篇文章并将其删除。
使用 django 避免此类情况的常用策略是什么?
以下是我为函数编写的代码:
views.py
def delete_article(request, id):
deleted = False
logged_user = get_logged_user_from_request(request) #that line allow to ensure that the user is connected. I use the session to achieve that instead of extending the User model
offer = get_object_or_404(Offer, id=id)
if request.method == 'POST':
offer.delete()
deleted = True
return render(request, 'offers/delete_article.html', locals())
urls.py
urlpatterns = patterns('article.views',
url(r'^send_article$', 'send_article', name='send_article'),
url(r'^my_articles$', 'show_my_articles', name='my_articles'),
url(r'^article/(?P<id>\d+)$', 'read', name='read'),
url(r'^articles$', 'show_articles', name='articles'),
url(r'^search_article$', 'search', name='search'),
url(r'^delete_article/(?P<id>\d+)$', 'delete_offer', name='delete_offer'),
)
delete_article.html
{% if not deleted %}
Hey, are you sure you want to delete {{ article.title }}?
<form method="POST">
{% csrf_token %}
<button type="submit" class="deleting_offer_button">delete</button>
</form>
{% elif deleted %}
<p>the article was successfully deleted</p>
<a href="/">get back to the homepage</a><br />
{% endif %}
如您所见,如果用户在url中更改了id的编号,当他被引导到确认删除页面时,他可以删除其他文章。
网站管理员正在做什么以确保用户不会干扰其他用户的对象?
当你得到article/offer。请确保该文章的所有者是经过身份验证的用户。
我不确定你的模型是什么样的,但应该是这样的
offer = get_object_or_404(Offer, id=id, author=logged_user)
这样如果他们不拥有该文章,它将 404
HttpResponseForbidden 可以在这里使用,它使用 403 状态代码。通常在提供身份验证时使用 403 响应,但不允许经过身份验证的用户执行请求的操作。
假设您在 Offer 模型中将 author 作为外键,您可以像这样更改您的视图:
在您的 views.py 中,您必须导入 :
from django.http import HttpResponseForbidden
然后在您的 delete_article 方法中使用此代码
offer = get_object_or_404(Offer, id=id)
if offer.author != request.user:
return HttpResponseForbidden()
我写了一个功能,允许用户删除他在博客网站上的文章。问题是,如果他稍微玩一下 url,他就可以访问另一篇文章并将其删除。
使用 django 避免此类情况的常用策略是什么?
以下是我为函数编写的代码:
views.py
def delete_article(request, id):
deleted = False
logged_user = get_logged_user_from_request(request) #that line allow to ensure that the user is connected. I use the session to achieve that instead of extending the User model
offer = get_object_or_404(Offer, id=id)
if request.method == 'POST':
offer.delete()
deleted = True
return render(request, 'offers/delete_article.html', locals())
urls.py
urlpatterns = patterns('article.views',
url(r'^send_article$', 'send_article', name='send_article'),
url(r'^my_articles$', 'show_my_articles', name='my_articles'),
url(r'^article/(?P<id>\d+)$', 'read', name='read'),
url(r'^articles$', 'show_articles', name='articles'),
url(r'^search_article$', 'search', name='search'),
url(r'^delete_article/(?P<id>\d+)$', 'delete_offer', name='delete_offer'),
)
delete_article.html
{% if not deleted %}
Hey, are you sure you want to delete {{ article.title }}?
<form method="POST">
{% csrf_token %}
<button type="submit" class="deleting_offer_button">delete</button>
</form>
{% elif deleted %}
<p>the article was successfully deleted</p>
<a href="/">get back to the homepage</a><br />
{% endif %}
如您所见,如果用户在url中更改了id的编号,当他被引导到确认删除页面时,他可以删除其他文章。
网站管理员正在做什么以确保用户不会干扰其他用户的对象?
当你得到article/offer。请确保该文章的所有者是经过身份验证的用户。
我不确定你的模型是什么样的,但应该是这样的
offer = get_object_or_404(Offer, id=id, author=logged_user)
这样如果他们不拥有该文章,它将 404
HttpResponseForbidden 可以在这里使用,它使用 403 状态代码。通常在提供身份验证时使用 403 响应,但不允许经过身份验证的用户执行请求的操作。
假设您在 Offer 模型中将 author 作为外键,您可以像这样更改您的视图:
在您的 views.py 中,您必须导入 :
from django.http import HttpResponseForbidden
然后在您的 delete_article 方法中使用此代码
offer = get_object_or_404(Offer, id=id)
if offer.author != request.user:
return HttpResponseForbidden()