我应该在模板和视图中使用Django权限检查吗? [英] Should I use Django permissions checks in the template AND the view?
问题描述
在模板和视图上设置权限是否建议或冗余?
Is it advised or redundant to set permissions on the template AND the view?
考虑到对数据库的任何数据操作都是通过POST
Consider that any data manipulation to the DB is done through POST
如果满足以下权限?
{% if perms.system.view_employee %}
<!-- content here -->
{% else %}
<h1>Sorry you do not have permission to access this page<h2>
{% endif %}
或者我也应该执行服务器端检查(是多余这样做或必要)?
or should I also implement server side checking as well (is it redundant to do so or necessary)?
def my_view(request):
if not request.user.has_perm('polls.can_vote'):
return HttpResponse("You can't access this page")
else:
# do stuff
...
推荐答案
- 检查模板是服务器端。 / li>
-
模板和视图中的权限检查不具有相同的用途:
- Checks in the template are server side.
Permissions checks in the template and in the view do not have the same purpose:
- 检查视图的权限将不允许访问整个页面。当此页面及其嵌入的功能是APO时,您执行此操作。您可以处理资源访问。
- 检查模板中的权限不允许显示模板的部分。当您希望人们能够访问该页面时,您可以执行此操作,但还有一些您不希望他们在页面上看到的内容。您处理显示。
- Checking permissions on the view will disallow the access to the entire page. You do this when this page, and the featured it embeds, is for APO. You handle ressources access.
- Checking permissions in the template disallow parts of the template to be displayed. You do this when you want people to be able to access the page, but there are some stuff you don't want them to see on the page. You handle display.
在您的特定示例中,您必须设置权限检查在任何人做这个操纵的观点。通常,如果使用POST访问视图,那么您希望使用模板权限检查是很少的机会,因为POST请求是本质上的操作。
In your particular example, you must set the permissions checks on the view to dissallow anybody to do this manipulation. Usually, if the views is accessed using POST their are little chances you want template permission checks because POST requests are actions by essence.
您通常将需要模板权限检查,如果您:
You usually will want template permissions checks if you:
- 具有该人不允许看到的页面的某些部分(如敏感数据)
- 希望提高可用性来显示与其权限级别相关的元素(菜单,表单等)。如果该人没有权限访问管理员,那么在菜单中显示一个管理员链接是没用的。
这篇关于我应该在模板和视图中使用Django权限检查吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
