Multi-user management skills in the Django framework (Part 2)

Multi-user management skills in the Django framework (Part 2)

In the previous article, we introduced how to implement multi-user management in the Django framework. This article will continue to share more tips and best practices to help developers better handle multi-user scenarios.

1. Use Django’s own permission system

Django provides a built-in permission system that can easily implement user permission management. Define the permission model in models.py:

from django.contrib.auth.models import Permission, User

class Post(models.Model):
    title = models.CharField(max_length=100)
    content = models.TextField()
    author = models.ForeignKey(User, on_delete=models.CASCADE)

    class Meta:
        permissions = [
            ("can_publish", "Can publish posts"),
        ]

The above code defines a Post model, and each article has an author. A permission is defined in the Meta class, named "can_publish", which means that the user can publish articles.

In the view function, you can check whether the user has a certain permission like this:

from django.contrib.auth.decorators import permission_required

@permission_required('blog.can_publish')
def publish_post(request):
    # 发布文章的逻辑

2. Use Django-guardian to enhance permission management

Django’s permission system Although built-in, it is difficult to use with object-level permission management. Django-guardian is a third-party library that enables more fine-grained permission control at the object level. To use Django-guardian, you need to define a permission model in models.py:

from django.contrib.auth.models import User
from django.db import models
from django.contrib.contenttypes.models import ContentType
from django.contrib.contenttypes.fields import GenericForeignKey

class Post(models.Model):
    title = models.CharField(max_length=100)
    content = models.TextField()
    author = models.ForeignKey(User, on_delete=models.CASCADE)

class PostPermission(models.Model):
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    post = models.ForeignKey(Post, on_delete=models.CASCADE)
    can_edit = models.BooleanField(default=False)

    content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)

    object_id = models.PositiveIntegerField()
    content_object = GenericForeignKey('content_type', 'object_id')

The above code defines a Post model, and each article has an author. At the same time, a PostPermission model is defined to represent the user's editing permissions for a certain article. Using Django-guardian's API, users can be given permission to edit a certain article:

from django.contrib.auth.models import User
from blog.models import Post, PostPermission
from guardian.shortcuts import assign_perm

user = User.objects.get(username='testuser')
post = Post.objects.get(id=1)
assign_perm('can_edit', user, post)

3. Restrict users from updating their own information

In managing multi-user applications , sometimes it is necessary to restrict users to only update their own information. For example, a social networking site needs to restrict users to only update their own personal information and not modify other people's information. Permission checking can be implemented in the view function:

from django.contrib.auth.decorators import login_required
from django.shortcuts import render, get_object_or_404
from blog.models import Profile

@login_required
def update_profile(request, pk):
    profile = get_object_or_404(Profile, pk=pk)
    if request.user != profile.user:
        return render(request, 'profile_error.html')

    if request.method == 'POST':
        # 更新用户资料逻辑
    else:
        # 返回更新资料页面

The above code first checks whether the user is logged in, and then obtains the profile instance to be updated based on the primary key. After checking if the user is the profile owner, if not, render an error page. If it is the owner, render the update page.

Conclusion

Through the introduction of this article, we have learned how to better handle multi-user scenarios in the Django framework. User permissions can be easily managed using the built-in permission system, while Django-guardian can achieve more fine-grained object-level permission control. Finally, restricting users from updating their own information can improve application security and user experience. I hope these tips will inspire you in your Django development.

The above is the detailed content of Multi-user management skills in the Django framework (Part 2). For more information, please follow other related articles on the PHP Chinese website!