一切都好吗?
我正在 Django 中开发一个应用程序,我正在使用 ModelForm 来注册一个新产品。应该存储在数据库中的值之一是作者是谁,因此,我使用初始值为 request.user.id
的隐藏输入,但我意识到用户可以简单地更改默认值隐藏的输入,放置一个产品,就好像它属于另一个用户一样。如何防止这种情况?
这是我在 views.py
中的 ModelForm:
class newListingForm(forms.ModelForm):
class Meta:
model = Listings
fields = ['Title', 'Description', 'startingBid', 'Category', 'imgURL', 'author']
widgets = {
'Title': forms.TextInput(attrs={'class': 'form-control'}),
'Description': forms.Textarea(attrs={'class': 'form-control'}),
'startingBid': forms.NumberInput(attrs={'class': 'form-control'}),
'Category': forms.Select(attrs={'class': 'form-control'}),
'imgURL': forms.URLInput(attrs={'class': 'form-control'}),
'author': forms.HiddenInput()
}
这是注册新产品的函数:
@login_required
def new(request):
form = newListingForm(initial={'author': request.user.id})
if request.method == "POST":
form = newListingForm(request.POST)
if form.is_valid():
form.save()
return HttpResponseRedirect(reverse("index"))
else:
return render(request, "auctions/new.html", {
'form': form,
})
else:
return render(request, "auctions/new.html", {
'form': form,
'categories': Categories.objects.all(),
})
我试过了,但没有用:
@login_required
def new(request):
form = newListingForm(initial={'author': request.user.id})
if request.method == "POST":
form = newListingForm(request.POST)
if form.is_valid() and form.cleaned_data.author == request.user.id:
form.save()
return HttpResponseRedirect(reverse("index"))
else:
return render(request, "auctions/new.html", {
'form': form,
})
else:
return render(request, "auctions/new.html", {
'form': form,
'categories': Categories.objects.all(),
})
这是我在 models.py
中的模型:
class Listings(models.Model):
Title = models.CharField(max_length=65)
Description = models.TextField(max_length=5000)
startingBid = models.DecimalField(max_digits=6, decimal_places=2)
price = models.DecimalField(max_digits=6, decimal_places=2, null=True, blank=True)
Category = models.ForeignKey(Categories, on_delete=models.CASCADE, related_name="listing", null=True, blank=True)
imgURL = models.URLField(null=True, blank=True)
author = models.ForeignKey(User, on_delete=models.CASCADE, related_name="author")
有人可以帮我吗?预先非常感谢您。