如何防止用户更改URL< pk>查看其他提交数据Django [英] How to prevent user changing URL <pk> to see other submission data Django

问题描述

我是Web开发领域，Django和需要保护URL的应用程序的新手，这些用户需要更改foo/bar/ pk 的用户才能访问其他用户数据.

I'm new to the web development world, to Django, and to applications that require securing the URL from users that change the foo/bar/pk to access other user data.

有没有办法防止这种情况?还是有内置的方法可以防止这种情况在Django中发生?

Is there a way to prevent this? Or is there a built-in way to prevent this from happening in Django?

例如: 可以将foo/bar/22更改为foo/bar/14并公开过去的用户数据.

E.g.: foo/bar/22 can be changed to foo/bar/14 and exposes past users data.

我已经阅读了有关该主题的几个问题的答案，并且运气不佳，可以清楚，连贯地解释这一问题以及防止该问题发生的方法.我对此一无所知，所以我不知道该如何措辞以适当地调查它.请像我5岁时向我解释一下.

I have read the answers to several questions about this topic and I have had little luck in an answer that can clearly and coherently explain this and the approach to prevent this. I don't know a ton about this so I don't know how to word this question to investigate it properly. Please explain this to me like I'm 5.

推荐答案

有几种方法可以实现此目的:

There are a few ways you can achieve this:

如果您具有登录的概念，只需将URL限制为:

If you have the concept of login, just restrict the URL to:

/foo/bar/

，并在代码user=request.user中，仅显示已登录用户的数据.

and in the code, user=request.user and display data only for the logged in user.

另一种方式是:

/foo/bar/{{request.user.id}}/

并在视图中:

def myview(request, id):
    if id != request.user.id:
        HttpResponseForbidden('You cannot view what is not yours') #Or however you want to handle this

您甚至可以编写中间件会将用户重定向到其页面/foo/bar/userid-或如果未登录则重定向到登录页面.

You could even write a middleware that would redirect the user to their page /foo/bar/userid - or to the login page if not logged in.

这篇关于如何防止用户更改URL< pk>查看其他提交数据Django的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！