0
這對我有用,我只是想知道它是否是「安全」或推薦的做事方式。檢查刪除之前的所有權
def yours(obj, request):
if obj.user == request.user:
return True
else:
return False
@login_required
def classroom_delete(request, pk, template_name='reports/classroom_confirm_delete.html'):
classroom = get_object_or_404(Classroom, pk=pk)
# Is this enough?
if not yours(classroom, request):
HttpResponseRedirect('/')
我將在所有刪除函數中實現它,這些函數刪除具有外鍵給用戶的對象。
這看起來像一個不錯的辦法。另外,在模板中,我只是不會顯示刪除選項,如果'obj.user!= request.user' – karthikr
我照顧了'classrooms = Classroom.objects.filter(user = request.user)''但這是一個後來的好主意! – broinjc
好的..你可以做'return obj.user == request.user' – karthikr