当前位置: 文江博客 话题详情

限制特定用户/客户的页面视图访问

发布于 2024-07-23 04:05:09 字数 1256 浏览 6 评论 0 原文

我认为这当然不是一个新问题,但事情是这样的:

在我基于 Django 的订单系统中,每个用户(不是员工)都与一个 CustomerProfile 对象相关,该对象将该用户与正确的 Customer 对象相匹配。 该客户用户可以登录并查看未结发票。 要查看客户的发票,您可以导航到如下所示的位置:

/invoices/customer/97/

(客户发票#97)

这很好,但我需要合并一些身份验证,以便属于客户个人资料的用户无法查看其他用户例如,通过手动输入 /invoices/customer/92/ 来查看客户的发票(发票 92 属于另一个客户)。

我已经得到了这个,但它确实不是一个好的代码(并且不起作用):

def customer_invoice_detail(request, object_id):
    user = threadlocals.get_current_user()
    try:
        userprofile = UserProfile.objects.get(user=user)
        user_customer = userprofile.customer.id
    except UserProfile.DoesNotExist:
        user_customer = None
    if (request.user.is_authenticated() and user_customer is not null) or request.user.is_staff():
        invoice = CustomerInvoice.objects.get(pk=object_id)
        product_list = CustomerInvoiceOrder.objects.filter(invoice=object_id)
        context = {
        'object': invoice,
        'product_list': product_list,
        }
        return render_to_response("invoices/customer_invoice_detail.html", context, context_instance=RequestContext(request))
    else:
        return HttpResponse("You are not authorised to view this invoice")

必须是一个更好/更简单的方法来处理这个问题 - 有什么想法吗?

干杯

原文

Certainly not a new question I think, but here it goes:

In my Django based Order system each user (who is not staff) is related to a CustomerProfile object which matches that user to the correct Customer object. This customer users can log in and view outstanding Invoices. To view a customer's invoices you navigate to something like this:

/invoices/customer/97/

(Customer Invoice #97)

Which is fine but I need to incorporate some authentication so a user who is part of a Customer's profile can't view another customer's invoices by manually entering /invoices/customer/92/ for example (invoice 92 belongs to another customer).

I've got this but it's really not good code (and doesn't work):

def customer_invoice_detail(request, object_id):
    user = threadlocals.get_current_user()
    try:
        userprofile = UserProfile.objects.get(user=user)
        user_customer = userprofile.customer.id
    except UserProfile.DoesNotExist:
        user_customer = None
    if (request.user.is_authenticated() and user_customer is not null) or request.user.is_staff():
        invoice = CustomerInvoice.objects.get(pk=object_id)
        product_list = CustomerInvoiceOrder.objects.filter(invoice=object_id)
        context = {
        'object': invoice,
        'product_list': product_list,
        }
        return render_to_response("invoices/customer_invoice_detail.html", context, context_instance=RequestContext(request))
    else:
        return HttpResponse("You are not authorised to view this invoice")

Must be a better/easier way to deal with this - any ideas?

Cheers

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

辞旧 2024-07-30 04:05:09

在您的发票模型中添加一个名为 user: 的字段,

user = models.ForeignKey(User, related_name="invoices")

然后像这样检索特定用户的记录:

invoice = CustomerInvoice.objects.get(pk=object_id, user=request.user)

使用反向关系检索给定用户的发票就变得很简单:

request.user.invoices.all()

另外,请查看 @login_required 装饰器。

Add a field to your invoice model called user:

user = models.ForeignKey(User, related_name="invoices")

then retrieve records for a specific user like this:

invoice = CustomerInvoice.objects.get(pk=object_id, user=request.user)

Retrieving invoices for a given user is then trivial with the reverse relation:

request.user.invoices.all()

Also, look at the @login_required decorator.

回复 原文
清风夜微凉 2024-07-30 04:05:09

我建议为您的客户模型制定一些业务逻辑。 这样,您就可以拥有一个 get_invoices() 方法,该方法仅返回该客户的发票列表。 此方法依次调用 is_authenticated() 方法,以确保当前状态允许检索受保护的客户数据,或者引发异常。

这样,无论您的代码尝试在何处获取客户的发票,如果当前状态无权访问发票,则始终会抛出异常,并且只要您使用这些方法。

I'd recommend making some business logic for your customer model. This way you could have a get_invoices() method that returns a list of invoices for that customer only. This method in turn would call a is_authenticated() method that ensures that the current state allows retrieval of protected customer data, or raises an exception.

With this, no matter where your code tries to get invoices for a customer, an exception will always be thrown if the current state does not have access to the invoices, and you won't have to worry about inconsistent behavior as long as you use these methods.

回复 原文
~没有更多了~

关于作者

陌伤ぢ

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文