Question

我做错了什么？即使不是超级用户，is_staff仍然可以访问此页面。你能在这里找到我的错误吗？

from django import forms
from django.conf import settings
from django.http import HttpResponse, HttpResponseRedirect, Http404
from ManagerApp import models as pmod
from . import templater
from django.contrib.auth.decorators import login_required
from django.contrib.auth.decorators import user_passes_test

@login_required(login_url='/ManagerApp/login/')
@user_passes_test(lambda u: u.is_superuser)

def process_request__new(request):
  q = pmod.User()
  q.first_name = 'New User!'
  q.save()
  return HttpResponseRedirect('/ManagerApp/edit_user/' + str(q.id))

def process_request(request):
  '''Shows all users in the DB'''
  q = pmod.User.objects.get(id=request.urlparams[0])
  form = UserForm(initial={
    #'active': q.is_active,
    'superuser': q.is_superuser,
    'staff': q.is_staff,
    'firstname': q.first_name,
    'lastname': q.last_name,
    'username': q.username,
    'password': q.password,
    'email': q.email,
    'street': q.street,
    'city': q.city,
    'state': q.state,
    'zipCode': q.zipcode,
    'phone': q.phone,
  })
  if request.method == 'POST':
    form = UserForm(request.POST)
    if form.is_valid():
      #q.is_active = form.cleaned_data['active']
      q.is_superuser = form.cleaned_data['superuser']
      q.is_staff = form.cleaned_data['staff']
      q.first_name = form.cleaned_data['firstname']
      q.last_name = form.cleaned_data['lastname']
      q.username = form.cleaned_data['username']
      q.set_password(form.cleaned_data['password'])
      q.email = form.cleaned_data['email']
      q.street = form.cleaned_data['street']
      q.city = form.cleaned_data['city']
      q.state = form.cleaned_data['state']
      q.zipcode = form.cleaned_data['zipcode']
      q.phone = form.cleaned_data['phone']
      q.save()
      return HttpResponseRedirect('/ManagerApp/users/')

  # return the template html
  template_vars = {
    'form': form,
  }
  return templater.render_to_response(request, 'edit_user.html', template_vars)

class UserForm(forms.Form):
  '''The question form'''
  #active = forms.NullBooleanField(required=False)
  superuser = forms.NullBooleanField(required=False)
  staff = forms.NullBooleanField(required=False)
  firstname = forms.CharField(required=False)
  lastname = forms.CharField(required=False)
  username = forms.CharField(required=False)
  password = forms.CharField(required=False)
  email = forms.CharField(required=False)
  street = forms.CharField(required=False)
  city = forms.CharField(required=False)
  state = forms.CharField(required=False)
  zipcode = forms.CharField(required=False)
  phone = forms.CharField(required=False)

我查了一堆教程，但仍然无法找到正确限制只能访问超级用户的解决方案。

此外，在edit_user页面上，我的每个人都按其ID编制索引。所以URL看起来像这样：ManagerApp / edit_user / 1 /（＃对应客户ID）

Answer 1

装饰器适用于单个功能。您的user_passes_test装饰器与process_request__new功能相关联，而不是process_request功能。

限制仅访问is_superuser。 is_staff仍然可以访问页面

1 个答案: