1. 首页
  2. 问答
  3. django安全和用户控制

django安全和用户控制

2017-02-19 48 views
0

如何防止人们编辑后发布和批准和删除在django.i系统中登录的其他人的帖子我正在创建一个论坛,任何人都可以发布question.i需要帮助以谁在系统中已注册用户控制 这个我post_deatil.html {% '延伸,博客/ base.html文件' %}django安全和用户控制

{% block content %} 
    <div class="post"> 
     {% if post.published_date %} 
    <div class="date"> 
     {{ post.published_date }} 
    </div> 
{% else %} 
    {% if id.is_authenticated %} 
     <a class="btn btn-primary" href="{% url 'post_publish' pk=post.pk %}">Publish</a> 
     <a class="btn btn-danger" href="{% url 'post_remove' pk=post.pk %}"><span class="glyphicon glyphicon-remove"></span></a> 
     <a class="btn btn-success" href="{% url 'post_edit' pk=post.pk %}"><span class="glyphicon glyphicon-pencil"></span></a> 
    {% endif %} 
{% endif %} 
     <h1>{{ post.title }}</h1> 
     <p>{{ post.text|linebreaksbr }}</p> 
    </div> 
<hr> 
<a class="btn btn-info" href="{% url 'add_comment_to_post' pk=post.pk %}">Add comment</a> 
{% for comment in post.comments.all %} 
    {% if user.is_authenticated or comment.approved_comment %} 
    <div class="comment"> 
     <div class="date"> 
      {{ comment.created_date }} 
      {% if not comment.approved_comment %} 
       <a class="btn btn-danger" href="{% url 'comment_remove' pk=comment.pk %}"><span class="glyphicon glyphicon-remove"></span></a> 
       <a class="btn btn-success" href="{% url 'comment_approve' pk=comment.pk %}"><span class="glyphicon glyphicon-ok"></span></a> 
       <a href="javascript:history.go(-1)" button type="button" class="btn btn-primary">Cancel</a> 

      {% endif %} 
     </div> 
     <strong>{{ comment.author }}</strong> 
     <p>{{ comment.text|linebreaks }}</p> 
    </div> 
    {% endif %} 
{% empty %} 
    <p>No comments here yet:</p> 
{% endfor %} 
{% endblock %}

这个我view.py

from django.shortcuts import render 
from django.utils import timezone 
from .models import Post, Comment 
from django.shortcuts import render, get_object_or_404 
from .forms import PostForm, CommentForm 
from django.shortcuts import redirect 
from django.contrib.auth.decorators import login_required 


def post_list(request): 
    posts = Post.objects.filter(published_date__lte=timezone.now()).order_by('published_date') 
    """posts = Post.objects.filter(published_date__lte=timezone.now()).get_latest_by('published_date')""" 
    return render(request, 'blog/post_list.html', {'posts': posts}) 

def post_detail(request, pk): 
    post = get_object_or_404(Post, pk=pk) 
    return render(request, 'blog/post_detail.html', {'post': post}) 
@login_required 
def post_new(request): 
    form = PostForm() 
    return render(request, 'blog/post_edit.html', {'form': form}) 
@login_required 
def post_new(request): 
    if request.method == "POST": 
     form = PostForm(request.POST) 
     if form.is_valid(): 
      post = form.save(commit=False) 
      post.author = request.user 
      post.save() 
      return redirect('post_detail', pk=post.pk) 
    else: 
     form = PostForm() 
    return render(request, 'blog/post_edit.html', {'form': form}) 
@login_required 
def post_draft_list(request): 
    posts = Post.objects.filter(published_date__isnull=True).order_by('created_date') 
    return render(request, 'blog/post_draft_list.html', {'posts': posts}) 
@login_required 
def post_publish(request, pk): 
    post = get_object_or_404(Post, pk=pk) 
    post.publish() 
    return redirect('post_detail', pk=pk) 
@login_required 
def publish(self): 
    self.published_date = timezone.now() 
    self.save() 
@login_required 
def post_remove(request, pk): 
    post = get_object_or_404(Post, pk=pk) 
    post.delete() 
    return redirect('post_list') 
@login_required 
def post_edit(request, pk): 
    post = get_object_or_404(Post, pk=pk) 
    if request.method == "POST": 
     form = PostForm(request.POST, instance=post) 
     if form.is_valid(): 
      post = form.save(commit=False) 
      post.author = request.user 
      post.published_date = timezone.now() 
      post.save() 
      return redirect('post_detail', pk=post.pk) 
    else: 
     form = PostForm(instance=post) 
    return render(request, 'blog/post_edit.html', {'form': form}) 
@login_required 
def add_comment_to_post(request, pk): 
    post = get_object_or_404(Post, pk=pk) 
    if request.method == "POST": 
     form = CommentForm(request.POST) 
     if form.is_valid(): 
      comment = form.save(commit=False) 
      comment.post = post 
      comment.save() 
      return redirect('post_detail', pk=post.pk) 
    else: 
     form = CommentForm() 
    return render(request, 'blog/add_comment_to_post.html', {'form': form}) 
@login_required 
def comment_approve(request, pk): 
    comment = get_object_or_404(Comment, pk=pk) 
    comment.approve() 
    return redirect('post_detail', pk=comment.post.pk) 

@login_required 
def comment_remove(request, pk): 
    comment = get_object_or_404(Comment, pk=pk) 
    post_pk = comment.post.pk 
    comment.delete() 
    return redirect('post_detail', pk=post_pk)

来源

2017-02-19 harri

+0

我已经使用过这个功能,还有一些其他登录人员可以编辑其他人的帖子,但他们不会假设,因为他们只是假设只编辑他们的帖子。“{%if id.is_authenticated%}'我已经使用了它根本不工作。 – harri

回答

-1

您可以通过检查是否是通过验证用户是会话作者的条目来控制它。

来源

2017-02-19 16:09:09

+0

我怎么可以控制什么,我问,因为我在这一行尝试并{if id.is_authenticated%} Publish {%ENDIF%}它不是在所有的''工作 – harri

相关问题

 相关问题