使用Django中的身份验证信息登录URL [英] Login URL using authentication information in Django
问题描述
我正在为我的大学在线实验室注册平台。
登录查看[project views.py]
$从django.http导入httpResponse,HttpResponseRedirect,Http404
从django.shortcuts导入render_to_response
从django.template导入RequestContext
b $ b from django.contrib import auth
def index(request):
return render_to_response('index.html',{},context_instance = RequestContext(request))
def login(request):
如果request.method ==POST:
post = request.POST.copy()
如果post.has_key('username')和post.has_key('password'):
usr = post ['username']
pwd = post ['password']
user = auth.authenticate(username = usr,password = pwd)
如果用户不是None和user.is_active:
auth.login(request,user)
如果user.get_profile()。is_teac她的
返回HttpResponseRedirect('/ teachers /'+ user.username +'/')
else:
返回HttpResponseRedirect('/ students /'+ user.username +'/')
return render_to_response('index.html',{'msg':'你不属于这里'},context_instance = RequestContext(request)
return render_to_response('login.html',{},context_instance = RequestContext(request))
def logout(request):
auth.logout(request)
return render_to_response('index.html',{},context_instance = RequestContext(request))
< h2> URLS
#========== PROJECT URLS ========== #
pre>
urlpatterns = patterns('',
(r'^ media /(?P< path>。*)$','django.views.static.serve' document_root':settings.MEDIA_ROOT}),
(r'^ admin /',include(admin.site.ur ls)),
(r'^ teachers /',include('diogenis.teachers.urls')),
(r'^ students /',include('diogenis.students 。
(r'^ login /',login),
(r'^ logout /',logout),
(r'^ $',index)
)
#========教师APP URLS ==========#
urlpatterns = patterns( '',
(r'^(?P< username> \w {0,50})/',labs),
)
登录视图基本上通过get_profile()]检查登录用户是否是__老师 [UserProfile属性],并将用户重定向到他的个人资料。
实验室查看[teacher app views.py]
from django .http import HttpResponse,HttpResponseRedirect,Http404
pre>
from django.shortcuts import render_to_response
from django.template import RequestContext
from django.contrib.auth.decorators import user_passes_test
from django.contrib.auth.models import User
from accounts.models import *
from labs.models import *
def user_is_teacher(user):
return user.is_authenticated()和user.get_profile()。is_teacher
@user_passes_test(user_is_teacher,login_url =/ login /)
def labs(request,username):
q1 = User.objects.get(username = username)
q2 = u'%s%s'%(q1.last_name,q1.first_name)
q2 = Teacher.objects.get(name = q2)
results = TeacherToLab.objects.filter(teacher = q2)
return render_to_response('teachers / labs.html',{'results':results},context_instance = RequestContext(request))
我使用@user_passes_test装饰器来检查经过身份验证的用户是否有权使用此视图[labs view]。
我现在使用的逻辑是,Django认证一位老师的用户,他可以通过在网址中输入老师的用户名来访问所有的教师资料。
一旦老师找到同事的用户名,他可以直接访问他的数据。
任何建议都将不胜感激。
解决方案一种简单的方法是修改视图以添加额外的支票:
pre $@user_passes_test(user_is_teacher,login_url =/ login /)
def labs(request,username):
if username!= request.user .username:
return HttpResponseNotAllowed()
...等等...
I'm working on a platform for online labs registration for my university.
Login View [project views.py]
from django.http import HttpResponse, HttpResponseRedirect, Http404 from django.shortcuts import render_to_response from django.template import RequestContext from django.contrib import auth def index(request): return render_to_response('index.html', {}, context_instance = RequestContext(request)) def login(request): if request.method == "POST": post = request.POST.copy() if post.has_key('username') and post.has_key('password'): usr = post['username'] pwd = post['password'] user = auth.authenticate(username=usr, password=pwd) if user is not None and user.is_active: auth.login(request, user) if user.get_profile().is_teacher: return HttpResponseRedirect('/teachers/'+user.username+'/') else: return HttpResponseRedirect('/students/'+user.username+'/') else: return render_to_response('index.html', {'msg': 'You don\'t belong here.'}, context_instance = RequestContext(request) return render_to_response('login.html', {}, context_instance = RequestContext(request)) def logout(request): auth.logout(request) return render_to_response('index.html', {}, context_instance = RequestContext(request))
URLS
#========== PROJECT URLS ==========# urlpatterns = patterns('', (r'^media/(?P<path>.*)$', 'django.views.static.serve', {'document_root': settings.MEDIA_ROOT }), (r'^admin/', include(admin.site.urls)), (r'^teachers/', include('diogenis.teachers.urls')), (r'^students/', include('diogenis.students.urls')), (r'^login/', login), (r'^logout/', logout), (r'^$', index), ) #========== TEACHERS APP URLS ==========# urlpatterns = patterns('', (r'^(?P<username>\w{0,50})/', labs), )
The login view basically checks whether the logged in user is_teacher [UserProfile attribute via get_profile()] and redirects the user to his profile.
Labs View [teachers app views.py]
from django.http import HttpResponse, HttpResponseRedirect, Http404 from django.shortcuts import render_to_response from django.template import RequestContext from django.contrib.auth.decorators import user_passes_test from django.contrib.auth.models import User from accounts.models import * from labs.models import * def user_is_teacher(user): return user.is_authenticated() and user.get_profile().is_teacher @user_passes_test(user_is_teacher, login_url="/login/") def labs(request, username): q1 = User.objects.get(username=username) q2 = u'%s %s' % (q1.last_name, q1.first_name) q2 = Teacher.objects.get(name=q2) results = TeacherToLab.objects.filter(teacher=q2) return render_to_response('teachers/labs.html', {'results': results}, context_instance = RequestContext(request))
I'm using @user_passes_test decorator for checking whether the authenticated user has the permission to use this view [labs view].
The problem I'm having with the current logic is that once Django authenticates a teacher user he has access to all teachers profiles basically by typing the teachers username in the url. Once a teacher finds a co-worker's username he has direct access to his data.
Any suggestions would be much appreciated.
解决方案A simple way would be to modify the view to add an extra check:
@user_passes_test(user_is_teacher, login_url="/login/") def labs(request, username): if username != request.user.username: return HttpResponseNotAllowed() ... and so on ...
这篇关于使用Django中的身份验证信息登录URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!