我有这个模型:
class Student(Model):
user = OneToOneField(CustomUser,on_delete=CASCADE,related_name='student',)
和此网址:
path('students/<int:student_pk>/',student,name='student')
和此视图:
@login_required
def student(request,student_pk):
return HttpResponse('This is your personal panel')
好吧,通过使用login_required装饰,我限制了未登录的用户才能查看学生面板页面。但是,其他登录的学生可以看到其他人的面板。
如何限制他们呢?
我可以这样做:
@login_required
def student(request,student_pk):
student_ins = get_object_or_404(Student,pk=student_pk)
if student_ins == request.user.student:
return HttpResponse('This is your personal panel')
else:
return HttpResponse('Please do not try to see other students' panels! You are not authorized to do this')
但是,我更喜欢在装饰器中这样做。例如,如果他/她在URL中输入了登录的学生,则其主键pk = 1:www.example.com/students/2