1. 首页
  2. 问答
  3. 只限制对is_superuser的访问。 is_staff仍然可以访问页面

只限制对is_superuser的访问。 is_staff仍然可以访问页面

2014-02-08 26 views
0

我在做什么错了?即使它不是超级用户,is_staff仍然可以访问此页面。你能在这里找到我的错误吗?只限制对is_superuser的访问。 is_staff仍然可以访问页面

from django import forms 
from django.conf import settings 
from django.http import HttpResponse, HttpResponseRedirect, Http404 
from ManagerApp import models as pmod 
from . import templater 
from django.contrib.auth.decorators import login_required 
from django.contrib.auth.decorators import user_passes_test 

@login_required(login_url='/ManagerApp/login/') 
@user_passes_test(lambda u: u.is_superuser) 

def process_request__new(request): 
    q = pmod.User() 
    q.first_name = 'New User!' 
    q.save() 
    return HttpResponseRedirect('/ManagerApp/edit_user/' + str(q.id)) 

def process_request(request): 
    '''Shows all users in the DB''' 
    q = pmod.User.objects.get(id=request.urlparams[0]) 
    form = UserForm(initial={ 
    #'active': q.is_active, 
    'superuser': q.is_superuser, 
    'staff': q.is_staff, 
    'firstname': q.first_name, 
    'lastname': q.last_name, 
    'username': q.username, 
    'password': q.password, 
    'email': q.email, 
    'street': q.street, 
    'city': q.city, 
    'state': q.state, 
    'zipCode': q.zipcode, 
    'phone': q.phone, 
    }) 
    if request.method == 'POST': 
    form = UserForm(request.POST) 
    if form.is_valid(): 
     #q.is_active = form.cleaned_data['active'] 
     q.is_superuser = form.cleaned_data['superuser'] 
     q.is_staff = form.cleaned_data['staff'] 
     q.first_name = form.cleaned_data['firstname'] 
     q.last_name = form.cleaned_data['lastname'] 
     q.username = form.cleaned_data['username'] 
     q.set_password(form.cleaned_data['password']) 
     q.email = form.cleaned_data['email'] 
     q.street = form.cleaned_data['street'] 
     q.city = form.cleaned_data['city'] 
     q.state = form.cleaned_data['state'] 
     q.zipcode = form.cleaned_data['zipcode'] 
     q.phone = form.cleaned_data['phone'] 
     q.save() 
     return HttpResponseRedirect('/ManagerApp/users/') 

    # return the template html 
    template_vars = { 
    'form': form, 
    } 
    return templater.render_to_response(request, 'edit_user.html', template_vars) 

class UserForm(forms.Form): 
    '''The question form''' 
    #active = forms.NullBooleanField(required=False) 
    superuser = forms.NullBooleanField(required=False) 
    staff = forms.NullBooleanField(required=False) 
    firstname = forms.CharField(required=False) 
    lastname = forms.CharField(required=False) 
    username = forms.CharField(required=False) 
    password = forms.CharField(required=False) 
    email = forms.CharField(required=False) 
    street = forms.CharField(required=False) 
    city = forms.CharField(required=False) 
    state = forms.CharField(required=False) 
    zipcode = forms.CharField(required=False) 
    phone = forms.CharField(required=False)

我抬头看了一堆教程,但仍找不到解决方案来正确限制只有超级用户的访问权限。

此外,在edit_user页面上,我有每个人都按其ID进行索引。所以URL将如下所示:ManagerApp/edit_user/1 /(该#对应于客户ID)

来源

2014-02-08 user3106444

+0

哪一页?你在这里有两个看法。我认为装饰者应该与第一个相关联,尽管很难说。 –

+0

它是不识别is_superuser的edit_user页面。我可以添加一个用户,它的效果很好 – user3106444

+0

这不是很有帮助。你有两个视图,'process_request__new'和'process_request'。你在说哪一个? –

回答

1

装饰器适用于单个功能。您的user_passes_test修饰符与process_request__new函数关联,而不是process_request函数。

来源

2014-02-08 17:34:56

+0

所以你说我需要把我希望它生效的每个函数的修饰符放在面前?如果这很容易,我会+1你 – user3106444

+0

是的,就是这样。 –

+0

好的,太棒了!现在如何让它重定向到另一个网页,而不是404页面未找到 – user3106444

相关问题

 相关问题