防止用户在 url 中输入 slug 时访问其他用户的数据 [英] Prevent users to access data of another user when typing the slug in the url

问题描述

如果用户 1 创建了这张票:mywebsite/manager/tickets/ticket-from-user-1/

用户 2 创建:mywebsite/manager/tickets/ticket-from-user-2/

如何通过在 url 中输入票证来阻止用户 1 访问用户 2 或其他用户的票证?

<块引用>

views.py

class TicketDisplay(LoginRequiredMixin, DetailView):型号 = 票template_name = 'ticket_detail.html'context_object_name = '票'slug_field = 'slug'def get_context_data(self, **kwargs):context = super(TicketDisplay, self).get_context_data(**kwargs)上下文['form_add_comment'] = CommentForm()返回上下文

<块引用>

url.py

url(r'^manager/tickets/(?P[-w]+)/$',views.TicketDetail.as_view(), name='ticket_detail')

解决方案

我最近在一个项目中实现了这个功能.它可以通过使用自动生成的 uuid 来完成.Django 有 一个内置模型字段，或者您可以使用 slug 字段并为其指定默认值.这是一个简单的例子.

在你的 models.py 文件中，导入 uuid 库，然后将你的 slug 字段的默认值设置为 uuid.uuid4.

models.py:

导入uuid类票证(模型.模型):uuid = models.SlugField(默认=uuid.uuid4，可编辑=假)...

在 urls.py 中，只使用 uuid 字段，就好像它是一个 pk.像这样:

url(r'^manager/tickets/(?P[0-9a-z-]+)/?$', TicketDetail.as_view(), name='ticket-detail'),

在您的详细信息、更新和删除视图中，您需要确保并设置这两个属性，以便 Django 知道将哪个字段用作 slug:

slug_field = 'uuid'slug_url_kwarg = 'uuid'

然后在您的模板中，每当您需要为 kwargs 检索对象时，只需使用 uuid 而不是 pk.

注意除此之外，您还应该尽一切可能阻止用户查看其他页面.您或许可以阻止某些帐户查看其他人的详细信息.例如，您可能会编写一个权限混合来检查 request.user 是否与视图正在处理的对象匹配.

tldr 这假设您与 Ticket 模型上的用户有某种关系:

class SameUserOnlyMixin(object):def has_permissions(self):# 假设您的 Ticket 模型有一个名为 user 的外键.返回 self.get_object().user == self.request.userdef dispatch(self, request, *args, **kwargs):如果不是 self.has_permissions():raise Http404('您没有权限.')返回 super(SameUserOnlyMixin, self).dispatch(请求，*args，**kwargs)

最后，像这样将其粘贴到您的视图中:

class TicketDisplay(LoginRequiredMixin, SameUserOnlyMixin, DetailView):...

If user 1 creat this ticket : mywebsite/manager/tickets/ticket-from-user-1/

And user 2 create that : mywebsite/manager/tickets/ticket-from-user-2/

How can I prevent user 1 to access the ticket from user 2 or other users by typing it in the url?

views.py

class TicketDisplay(LoginRequiredMixin, DetailView):
    model = Ticket
    template_name = 'ticket_detail.html'
    context_object_name = 'ticket'
    slug_field = 'slug'

    def get_context_data(self, **kwargs):
        context = super(TicketDisplay, self).get_context_data(**kwargs)
        context['form_add_comment'] = CommentForm()
        return context

url.py

url(r'^manager/tickets/(?P<slug>[-w]+)/$',views.TicketDetail.as_view(), name='ticket_detail')

解决方案

I recently implemented this functionality in a project. It can be done by using automatically generated uuid's. Django has a built-in model field for this, or you can use a slug field and give it a default value. Here is a quick example.

In your models.py file, import the uuid library and then set the default value of your slug field to be uuid.uuid4.

models.py:

import uuid

class Ticket(models.Model):
    uuid = models.SlugField(default=uuid.uuid4, editable=False)
    ...

In urls.py, just use the uuid field as if it were a pk. Something like this:

url(r'^manager/tickets/(?P<uuid>[0-9a-z-]+)/?$', TicketDetail.as_view(), name='ticket-detail'),

In your detail, update, and delete views, you will need to make sure and set these two attributes so that Django knows which field to use as the slug:

slug_field = 'uuid'
slug_url_kwarg = 'uuid'

Then in your templates and whenever you need to retrieve an object for the kwargs, just use the uuid instead of the pk.

Note that in addition to this, you should also do all you can with permissions to block users from seeing other pages. You may be able to block certain accounts from viewing other peoples details. For instance, you could probably write a permissions mixin to check whether request.user matches up with the object that the view is handling.

tldr This is assuming that you have some kind of relation to a user on your Ticket model:

class SameUserOnlyMixin(object):

    def has_permissions(self):
        # Assumes that your Ticket model has a foreign key called user.
        return self.get_object().user == self.request.user

    def dispatch(self, request, *args, **kwargs):
        if not self.has_permissions():
            raise Http404('You do not have permission.')
        return super(SameUserOnlyMixin, self).dispatch(
            request, *args, **kwargs)

Finally, stick it on to your view like this:

class TicketDisplay(LoginRequiredMixin, SameUserOnlyMixin, DetailView):
    ...

这篇关于防止用户在 url 中输入 slug 时访问其他用户的数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！