事实上,使用 GET 方法删除对象会让您容易受到CSRF 攻击 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/.
DeleteView https://docs.djangoproject.com/en/1.7/ref/class-based-views/generic-editing/#deleteview仅在 POST 时删除,并在 GET 时显示确认页面。
你的代码应该看起来像这样views.py
:
from django.views.generic import DeleteView
class PostDelete(DeleteView):
model = Post
success_url = reverse_lazy('posts.views.all_posts')
In urls.py
:
url(r'^delete/(?P<pk>\d+)/$', PostDelete.as_view(),
name='entry_delete'),
您的表单(不使用确认模板。文档中有确认模板的示例):
<form action="{% url 'entry_delete' object.pk %}" method="post">
{% csrf_token %}
<input type="submit" value="Delete" />
</form>
如果您不使用确认模板,请确保指向表单的action
归因于DeleteView
(这就是为什么 https://stackoverflow.com/questions/8395269/).
为了确保删除帖子的用户是拥有该帖子的用户,我喜欢使用mixins https://docs.djangoproject.com/en/1.7/ref/class-based-views/mixins/。假设你的Post
模型有一个created_by
外键指向User
,你可以编写一个 mixin,例如:
from django.core.exceptions import PermissionDenied
class PermissionMixin(object):
def get_object(self, *args, **kwargs):
obj = super(PermissionMixin, self).get_object(*args, **kwargs)
if not obj.created_by == self.request.user:
raise PermissionDenied()
else:
return obj
最后,你的DeleteView
应该继承这个mixin:
class PostDelete(PermissionMixin, DeleteView):
model = Post
success_url = reverse_lazy('posts.views.all_posts')