如何讓用戶只刪除他們在Django中創建的對象？

Question

他們可以通過放置帖子ID來繞過鏈接。我不知道如何解決它。

/borrar/ID

模板按鈕：

{% if user == post.user %} 
    <a class="close pull-right" href="{% url 'post_borrar' post.id %}"><span aria-hidden="true">&times;</span></a> 
{% endif %} 

模板帖子/ posts_mod_borrar.html：

<form method="post"> 
    {% csrf_token %} 
    ¿Estás seguro que deseas borrar el post "{{ object }}"? 
    <input type="submit" value="Submit" /> 
</form> 

views.py

class PostDeleteView(generic.DeleteView): 
    model = Post 
    template_name = 'posts/posts_mod_borrar.html' 
    success_url = reverse_lazy('timeline') 

model.py

class Post(models.Model): 
    user = models.ForeignKey(User, on_delete=models.CASCADE) 
    texto = models.CharField(max_length=200) 
    imagen = models.ImageField(upload_to='posts', blank=True) 
    video = models.URLField(blank=True) 
    creado = models.DateTimeField(auto_now_add=True) 
    actualizado = models.DateTimeField(auto_now=True) 

class Meta: 
    ordering = ["-creado"] 

def __str__(self): 
    return self.texto 

Answer 1

您可以檢查obj.user是在dispatch方法request.user：

from django.core.exceptions import PermissionDenied 

class PostDeleteView(generic.DeleteView): 
    ... 

    def user_passes_test(self, request): 
     if request.user.is_authenticated(): 
      self.object = self.get_object() 
      return self.object.user == request.user 
     return False 

    def dispatch(self, request, *args, **kwargs): 
     if not self.user_passes_test(request): 
      raise PermissionDenied 
     return super(PostDeleteView, self).dispatch(
      request, *args, **kwargs) 

如果用戶沒有通過user_passes_testPermissionDenied將提高