我试图将CRUD页面的访问权限限制在所有者,但我找不到等效于"if request.user!=post.author raise Http404"的基于类的视图。谢谢你的时间。
型号.py
class Article(models.Model):
title = models.CharField(max_length=255)
body = models.TextField()
date = models.DateTimeField(auto_now_add=True)
author = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE)
def __str__(self):
return self.title
def get_absolute_url(self):
return reverse('article_detail', args=[str(self.id)])
views.py
class ArticleUpdateView(LoginRequiredMixin, UpdateView):
model = Article
fields = ['title', 'body']
template_name = 'article_edit.html'
login_url = 'login'
我尝试了下面的(以及围绕这些行的许多其他组合(,但它不起作用。
def get(self, request, *args, **kwargs):
if self.request.user == self.obj.author:
raise Http404()
你可以这样做:-
class ArticleUpdateView(LoginRequiredMixin, UpdateView):
model = Article
fields = ['title', 'body']
template_name = 'article_edit.html'
login_url = 'login'
def get(self, request, *args, **kwargs):
self.obj = self.get_object()
if self.request.user != self.obj.author:
raise Http404()
return super(ArticleUpdateView, self).get(request, *args, **kwargs)
我认为您可以覆盖get_queryset方法来实现这一点。例如:
class ArticleUpdateView(...):
def get_queryset(self):
queryset = super(ArticleUpdateView, self).get_queryset()
return queryset.filter(author = self.request.user)
因此,当用户试图更新不是他创建的帖子时,他将无法获得它,因为他将无法在get_queryset方法提供的Queryset中找到帖子对象。有关详细信息,请参阅稍后由UpdateView细分的SingleObjectMixinFYI您不需要为此实现重写get方法。