如何将记录的编辑限制为登录用户? [英] How to restrict editing of records to the logged-in user?
问题描述
对不起,我还是Django的新手,希望这个问题不会解决.
当我的模板中包含以下内容时:
< td>< a href ="/contact/edit/?id {{item.id}}"> {{item.last_name}}</a></td> 通过单击姓氏,用户将被重定向到以下链接以进行编辑.
http://127.0.0.1:8000/contact/edit/?id=1 但是什么阻止了所有已登录的用户在浏览器中注入一个不同的ID并编辑不属于他的记录呢?
更新
当我阅读下面的评论和答案时,我只是有了一个主意.我不能使用第三方应用程序,而不能为每个用户创建一个UserProfile并附加一个唯一的公司范围的uuid.uuid1().每次登录的用户尝试编辑内容时,其唯一的公司uuid也会作为附加参数传递到链接中.
在编辑方面,它将收集该Guid并将其与登录用户进行比较,以查看它们是否匹配.如果它们匹配,则他被授权继续编辑,否则他将被重定向.
您怎么看?有什么弱点吗?
在使用Django auth 时,请始终依靠 session 机制来标识用户制作一些其他ID(例如 uuid1())的方法(例如,当您需要在电子商务网站中的 HTTPS 下使用额外的会话时除外).
对于权限部分,您可以直接检查所有权,主要如 Koliber Services 所述. Company , User 和 Contact 之间的关系对于权限检查的逻辑至关重要.有许多方法可以建立关系模型,因此代码会有很大的不同.例如:
#一种建模方式User.company->公司:用户属于公司contact.contributor->用户:联系人是由用户贡献的,如果用户离开公司,则无效#可以通过以下方式检查可访问性can_view = contact.contributor.company_id == current_user.company_id#另一种建模方式User.company->公司:用户属于公司联系公司->公司:联系信息归公司所有,并不在全球范围内共享#可以通过以下方式检查可访问性can_view = contact.company_id == current_user.company_id 当 can_view 为 False 时,用户应为未经授权的尝试获得403并进行记录.
通常,以上方法足以进行内容保护(在Django Admin中尚无此功能).但是,当您有许多不同类型的权限检查甚至行权限检查时,最好使用一些统一的权限API.
以Django-guardian为例,您可以简单地将公司映射到组,并为代表用户公司的组的联系人提供 assign can_view 权限.或者,当使用信号或芹菜任务创建联系人时,将 can_view 权限 can_view 授予公司中的所有用户.
此外,您可以使用/contact/1/edit/代替/contact/edit/?id = 1 .这样,将 int(request.GET('id'))部分移至urlconf,例如 r'^ contact/(?P< pk> \ d +)/$',更少的代码,更清晰.
Sorry, I am still new to Django, hopefully the question isn't out of place.
When I have the following in my template:
<td><a href="/contact/edit/?id{{ item.id }}">{{ item.last_name }}</a></td>
By clicking on last name the user will be redirected to the following link in order to edit it.
http://127.0.0.1:8000/contact/edit/?id=1
But then what prevents any logged in user to just inject a different id in there on the browser and edit a record that doesn't belong to him?
Update
I just had an idea when I read the comment and answer below. Rather than using a third party app, couldn't I just create a UserProfile for each user and attach a unique company wide uuid.uuid1(). Each time a loggedin user attempts to edit something, his unique company uuid will be also passed in the link as an additional parameter.
On the edit side, it would harvest this guid and compare it against the logged in user and see if they match. If they do match, he is authorized to proceed with the editing, otherwise he will be redirected.
What do you think? Any weaknesses?
When you're using Django auth, always rely on the session mechanism to identify an user instead of making some other id such as uuid1() (except, for example, when you need extra sessions in an e-commerce site under HTTPS).
For the permission part, you could check the ownership directly, mainly as described by Koliber Services. The relationships between Company, User and Contact are crucial for the logic of permission checking. There are many ways to model the relationships and thus the code would differ much. For example:
# a modeling way
User.company -> Company : an user belongs to a company
Contact.contributor -> User : a contact is contributed by an user, would be invalid is user is leaving the company
# could check accessibility by
can_view = contact.contributor.company_id == current_user.company_id
# another modeling way
User.company -> Company : an user belongs to a company
Contact.company -> Company : a contact info is owned by a company, does not share globally
# could check accessibility by
can_view = contact.company_id == current_user.company_id
When can_view is False, user should get a 403 for his unauthorized attempting and get logged.
Normally the above method is enough for content protection(not yet in Django Admin). However, when you have many different types of permission checking and even row-permission checkings, it's better to use some uniform permission API.
Take Django-guardian for example, you could simply map companies to groups and assign can_view permission for a contact for the group representing the user's company. Or, assign the can_view permission to all users in a company when a contact is created by using signal or celery task.
Furthermore, you could use /contact/1/edit/ instead of /contact/edit/?id=1. In this way the int(request.GET('id')) part is moved to urlconf like r'^contact/(?P<pk>\d+)/$', less code and much clearer.
这篇关于如何将记录的编辑限制为登录用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
