【发布时间】:2020-03-25 13:55:38
【问题描述】:
我有这个模型:
class Student(Model):
user = OneToOneField(CustomUser, on_delete=CASCADE, related_name='student', )
还有这个网址:
path('students/<int:student_pk>/', student, name='student')
还有这个观点:
@login_required
def student(request, student_pk):
return HttpResponse('This is your personal panel')
好吧,通过使用 login_required 装饰,我限制未登录的用户查看学生面板页面。但是,其他已登录的学生可以看到其他人的面板。
我怎样才能限制他们这样做?
我可以这样做:
@login_required
def student(request, student_pk):
student_ins = get_object_or_404(Student, pk=student_pk)
if student_ins == request.user.student:
return HttpResponse('This is your personal panel')
else:
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
但是,我更喜欢在装饰器中进行。例如,如果他/她在 url 中输入了主键 pk=1,则注销登录的学生:www.example.com/students/2
【问题讨论】:
标签: django security decorator login-required