第 13 章    存取限制

▸ 登入使用者權限設定

article/views.py
...
from django.db.models.query_utils import Q
from django.contrib.auth.decorators import login_required

...

@login_required
def articleLike(request, articleId):
    ...

@login_required
def commentCreate(request, articleId):
    ...

@login_required
def commentUpdate(request, commentId):
    ...

@login_required
def commentDelete(request, commentId):
    ...

▸ 登出權限設定

account/views.py
...
from django.contrib.auth import logout as auth_logout
from django.contrib.auth.decorators import login_required

...

@login_required
def logout(request):
    ...

▸ 設定轉向登入頁面

...

AUTH_USER_MODEL = 'account.User'

LOGIN_URL = '/account/login/'

▸ 登入後自動轉址

account/views.py
def login(request):
    ...
    template = 'account/login.html'
    if request.method == 'GET':
        return render(request, template, {'nextURL':request.GET.get('next')})

    # POST
    ...

▸ 將 nextURL 設為隱藏欄位

account/tempaltes/account/login.html
  ...
  <p>密碼:<input type="password" name="password"></p>
  {% if nextURL %}
    <input type="hidden" name="nextURL" value="{{ nextURL }}">
  {% endif %}
  <p><input type="submit" value="送出"></p>
  ...

▸ 轉址程式

account/views.py
def login(request):
    ...
    auth_login(request, user)
    nextURL = request.POST.get('nextURL')
    if nextURL:
        return redirect(nextURL)
    messages.success(request, '登入成功')
    return redirect('main:main')

▸ 管理者權限函式

main/views.py
from django.shortcuts import render, redirect
from django.contrib import messages
from django.urls.base import reverse


def about(request):
    ...


def admin_required(func):
    def auth(request, *args, **kwargs):
        if not request.user.is_superuser:
            messages.error(request, '請以管理者身份登入')
            return redirect(reverse('account:login') + '?next=' + request.get_full_path())
        return func(request, *args, **kwargs)
    return auth

▸ 管理者權限設定

article/views.py
...

from article.models import Article, Comment
from article.forms import ArticleForm
from main.views import admin_required

...

@admin_required
def articleCreate(request):
    ...

@admin_required
def articleUpdate(request, articleId):
    ...

@admin_required
def articleDelete(request, articleId):
    ...

▸ 範本裡管理者存取權限

article/tempaltes/article/article.html
...
{% include 'article/searchForm.html' %}
{% if user.is_superuser %}
  <p class="inlineBlock"><a class="btn inlineBlock" href="{% url 'article:articleCreate' %}">新增文章</a></p>
{% endif %}
<br><br><hr>
...
  <h3 class="inlineBlock"><a href="{% url 'article:articleRead' article.id %}">%{{ article.title %}}</a></h3>
  {% if user.is_superuser %}
    <form class="inlineBlock" method="post" action="{% url 'article:articleDelete' article.id %}">
      {% csrf_token %}
      <input class="btn deleteConfirm" type="submit" value="刪除">
    </form>
  {% endif %}
  <p>發表時間:%{{ article.pubDateTime|date:'Y-m-d H:i' %}}</p>
...
article/tempaltes/article/articleRead.html
...
<h3 class="inlineBlock">%{{ article.title %}}</h3>
{% if user.is_superuser %}
  <a class="btn inlineBlock" href="{% url 'article:articleUpdate' article.id %}">修改</a>
{% endif %}
<p>發表時間:%{{ article.pubDateTime|date:'Y-m-d H:i' %}}</p>
...

▸ 本章完成專案:blog13.zip