问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

django 如何采用权限检查的办法,阻止普通用户直接访问某些地址?

头像
nxren2016
    014
    新手上路,请多包涵

    需求:

    1、自行设计一个后台界面。主要功能:增加栏目、修改栏目、删除栏目、发表文章、修改文章、删除文章、上传图片等。希望只有超级管理员可以看到“后台管理”这个入口,其余普通用户无法看到,且无法直接用网址登录到这个界面(栏目地址:http://127.0.0.1:8000/article/article-column/)。
    2、已经在html上对“后台管理”做出权限处理,超级管理员可以见,普通用户不可见。但是普通用户登录后还是可以推测出“后台管理”地址,直接登录到此界面。如何才能使得即使登录成功后,普通用户拷贝到网址也无法登录到“后台管理”界面呢!谢谢!

    代码:

    from django.shortcuts import render
    from django.contrib.auth.decorators import login_required
    from django.views.decorators.csrf import csrf_exempt
    from django.http import HttpResponse
    from .models import ArticleColumn
    from .forms import ArticleColumnForm
    from django.views.decorators.http import require_POST
    from .models import ArticlePost
    from .forms import ArticlePostForm
    from django.shortcuts import get_object_or_404

    新增栏目

    @login_required(login_url='/account/login/')
    @csrf_exempt
    def article_column(request):

    if request.method == "GET":
    columns = ArticleColumn.objects.filter(user=request.user)
    column_form = ArticleColumnForm()
    return render(request, "article/column/article_column.html", {"columns": columns, "column_form": column_form })

if request.method == "POST":
    column_name = request.POST['column']
    columns = ArticleColumn.objects.filter(user_id=request.user.id, column=column_name)
    if columns:
        return HttpResponse('2')
    else:
        ArticleColumn.objects.create(user=request.user, column=column_name)
        return HttpResponse('1')

    编辑栏目

    @login_required(login_url='/account/login/')
    @require_POST
    @csrf_exempt
    def rename_article_column(request):

    column_name = request.POST["column_name"]
column_id = request.POST['column_id']
try:
    line = ArticleColumn.objects.get(id=column_id)
    line.column = column_name
    line.save()
    return HttpResponse("1")
except:
    return HttpResponse("0")

    删除栏目

    @login_required(login_url='/account/login/')
    @require_POST
    @csrf_exempt
    def del_article_column(request):

    column_id = request.POST['column_id']
try:
    line = ArticleColumn.objects.get(id=column_id)
    line.delete()
    return HttpResponse("1")
except:
    return HttpResponse("2")

    发布文章

    @login_required(login_url='/account/login/')
    @csrf_exempt
    def article_post(request):

    if request.method == "POST":
    article_post_form = ArticlePostForm(data=request.POST)
    if article_post_form.is_valid():
        cd = article_post_form.cleaned_data
        try:
            new_article = article_post_form.save(commit=False)
            new_article.author =request.user
            new_article.column = request.user.article_column.get(id=request.POST['column_id'])
            new_article.save()
            return HttpResponse("1")
        except:
            return HttpResponse("2")
    else:
        return HttpResponse("3")
else:
    article_post_form = ArticlePostForm()
    article_columns = request.user.article_column.all()
    return render(request, "article/column/article_post.html",
                  {"article_post_form": article_post_form, "article_columns": article_columns})

    文章列表

    @login_required(login_url='/account/login')
    def article_list(request):

    articles = ArticlePost.objects.filter(author=request.user)
return render(request, "article/column/article_list.html", {"articles": articles})

    文章详情

    @login_required(login_url='/account/login')
    def article_detail(request, id, slug):

    article = get_object_or_404(ArticlePost,id=id, slug=slug)
return render(request, "article/column/article_detail.html", {"article":article})

    删除文章

    @login_required(login_url='/account/login')
    @require_POST
    @csrf_exempt
    def del_article(request):

    article_id = request.POST['article_id']
try:
    article = ArticlePost.objects.get(id=article_id)
    article.delete()
    return HttpResponse("1")
except:
    return HttpResponse("2")

    修改文章

    @login_required(login_url='/account/login')
    @csrf_exempt
    def redit_article(request, article_id):

    if request.method == "GET":
    article_columns = request.user.article_column.all()
    article = ArticlePost.objects.get(id=article_id)
    this_article_form = ArticlePostForm(initial={"title":article.title})
    this_article_column = article.column
    return render(request, "article/column/redit_article.html",
                  {"article":article, "article_columns": article_columns, "this_article_column": this_article_column, "this_article_form":this_article_form})

elif request.method == "POST":
     redit_article = ArticlePost.objects.get(id=article_id)
     try:
         redit_article.column = request.user.article_column.get(id=request.POST['column_id'])
         redit_article.title = request.POST['title']
         redit_article.body = request.POST['body']
         redit_article.save()
         return HttpResponse("1")
     except:
         return HttpResponse("2")

    #html

    {% if user.is_superuser %}
    <li>后台管理</li>
    {% endif %}
    pythondjango
    阅读 3.8k
    1 个回答
    得票最新
    头像
    wdxfairy
      541

      2种方式:

      1: 在 后台管理 的view函数里面, 判断是否是符合条件的用户, 不符合直接重定向到首页 或者 显示特殊的权限错误页面

      2: 使用 permission_required 装饰 后台管理 的view函数

      参考django文档

      撰写回答
      你尚未登录,登录后可以
      • 和开发者交流问题的细节
      • 关注并接收问题和回答的更新提醒
      • 参与内容的编辑和改进,让解决方法与时俱进
      推荐问题