如何防止用户更改URL< pk>查看其他提交数据Django [英] How to prevent user changing URL <pk> to see other submission data Django
问题描述
我是Web开发领域,Django和需要保护URL的应用程序的新手,这些用户需要更改foo/bar/ pk 的用户才能访问其他用户数据.
I'm new to the web development world, to Django, and to applications that require securing the URL from users that change the foo/bar/pk to access other user data.
有没有办法防止这种情况?还是有内置的方法可以防止这种情况在Django中发生?
Is there a way to prevent this? Or is there a built-in way to prevent this from happening in Django?
例如:
可以将foo/bar/22
更改为foo/bar/14
并公开过去的用户数据.
E.g.:
foo/bar/22
can be changed to foo/bar/14
and exposes past users data.
我已经阅读了有关该主题的几个问题的答案,并且运气不佳,可以清楚,连贯地解释这一问题以及防止该问题发生的方法.我对此一无所知,所以我不知道该如何措辞以适当地调查它.请像我5岁时向我解释一下.
I have read the answers to several questions about this topic and I have had little luck in an answer that can clearly and coherently explain this and the approach to prevent this. I don't know a ton about this so I don't know how to word this question to investigate it properly. Please explain this to me like I'm 5.
推荐答案
有几种方法可以实现此目的:
There are a few ways you can achieve this:
如果您具有登录的概念,只需将URL限制为:
If you have the concept of login, just restrict the URL to:
/foo/bar/
,并在代码user=request.user
中,仅显示已登录用户的数据.
and in the code, user=request.user
and display data only for the logged in user.
另一种方式是:
/foo/bar/{{request.user.id}}/
并在视图中:
def myview(request, id):
if id != request.user.id:
HttpResponseForbidden('You cannot view what is not yours') #Or however you want to handle this
您甚至可以编写中间件会将用户重定向到其页面/foo/bar/userid
-或如果未登录则重定向到登录页面.
You could even write a middleware that would redirect the user to their page /foo/bar/userid
- or to the login page if not logged in.
这篇关于如何防止用户更改URL< pk>查看其他提交数据Django的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!