堆栈内存溢出
  简体   繁体   English

在Django模板中使用反向URL查找与关键字争论

[英]Using reverse url lookup in django template with keyword arguements

 原文  2014-07-31 15:33:20       python/ django

问题描述

I would like to use the reverse url lookup available in a django template using keyword arguments instead of positional ones. 我想使用关键字参数而不是位置参数在Django模板中使用反向URL查找。

I have it working using positional arguments just fine as such: 我可以使用位置参数来工作,就像这样:

HTML: HTML: 

    <a href="{% url 'download' customer.pk %}">download</a>

URL: 网址: 

    (r'^generator/download/(?P<customer_id>\d+)/$', 'generator.views.send_file', name='download'),

View definition: 查看定义: 

    def send_file(request, customer_id):

The problem is that I am noticing a security flaw in that now anyone can simply enter as a url like: 问题是,我注意到一个安全漏洞,因为现在任何人都可以简单地以如下网址输入: 

    /generate/download/<any number>/

and download a file that is meant only for someone else. 并下载仅适用于其他人的文件。 I understand that this risk might be able to be mitigated by using user permissions etc, but I still would like to add another layer of security just in case. 我知道可以通过使用用户权限等减轻这种风险,但是我仍然想增加另一层安全性,以防万一。 Maybe I am wrong in my thinking that a keyword argument is safer in this regard because it is not simply available to be passed in the url... But that is what I am thinking. 也许我认为关键字参数在这方面比较安全,因为我不能简单地将其传递给url,这是错误的……但这就是我的想法。

The code as I think it should work looks like: 我认为应该工作的代码如下:

HTML: HTML: 

    <a href="{% url 'download' customer_id=customer.pk %}">download</a>

URL: 网址: 

    (r'^generator/download/$', 'generator.views.send_file', name='download'),

View definition: 查看定义: 

    def send_file(request, customer_id=None):
        customer = get_object_or_404(Customer, pk=customer_id)
        ... other code

meaning if /generate/download/ is entered in the url (without the accompanying kwarg) it would just give them 404. 意思是,如果在网址中输入/ generate / download /(没有随附的kwarg),则只会给他们404。

but I am getting the following error when I try to use this code: 但是当我尝试使用此代码时出现以下错误: 

Reverse for 'download' with arguments '()' and keyword arguments '{u'customer_id': 33}' not found. 1 pattern(s) tried: ['generator/download/$']

I'm sure it is something silly that I simply passed over in the django url dispatcher docs, or perhaps it is in the way I am defining my view (perhaps I need **kwargs as the argument?) but I can't seem to find it for the life of me. 我敢肯定,我只是在django url调度程序文档中忽略了某种愚蠢的东西,或者这可能是我定义视图的方式(也许我需要** kwargs作为参数?),但我似乎无法为我的生命找到它。

Your help is much appreciated. 非常感谢您的帮助。

1 个解决方案

解决方案1
 1 已采纳  2014-07-31 15:44:48

Your assumption is unfortunately completely wrong. 不幸的是,您的假设是完全错误的。 Keyword arguments are passed in the URL, they are simply sent to the view function in a different way - in kwargs instead of args. 关键字参数在URL 传递,它们只是以不同的方式发送给视图函数-以kwargs而不是args。

The simplest way to solve your problem is just to check the user in the download function itself. 解决问题的最简单方法就是检查下载功能本身中的用户。 

def download(request, pk):
    obj = Download.objects.get(pk)
    if obj.customer_id != request.user.id:
        return HttpResponseForbidden()

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Django反向URL查找模板错误 - Django Reverse URL Lookup Template Error 在 Django 模板中过滤反向查找 - Filtering a reverse lookup in Django template Django:提要的反向查找URL? - Django: reverse lookup URL of feeds? Django中的部分反向URL查找 - Partial reverse url lookup in django Django:将 URL 参数传递给模板标签中反向 URL 查找的每个实例 - Django: passing a URL parameter to every instance of a reverse URL lookup in a template tag Django反向查找呈现相同(错误)模板 - Django reverse lookup rendering the same (wrong) template Django URL反向隐藏关键字参数 - django url reverse hiding keyword arguments 使用反向外键查找的Django ListView - Django ListView using reverse foreignkey lookup 如何通过URL将Django模板中的多个论点传递给View? - How can I pass multiple arguements from Django Template to View via URL? Django反向URL在模板中带有可选参数 - Django reverse url with optional arguments in template
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM