我授予我的超级用户禁止所有其他类型用户的权限,这是我的views.py文件:
@login_required(login_url='login')
def Home(request):
posts = Post.objects.all()
if request.method == "POST":
#taking the id i passed in value attribute
post_id = request.POST.get("post_id")
user_id = request.POST.get("user_id")
if post_id:
post = Post.objects.filter(id=post_id).first()
if post and (post.auther == request.user or request.user.has_perm('main.delete_post')):
post.delete()
elif user_id:
user = User.objects.filter(id=user_id).first()
if user and request.user.is_staff:
try:
group = Group.objects.get(name="default")
group.user_set.remove(user)
print("removed successfully")
except:
print("something went wrong")
pass
try:
group = Group.objects.get(name="mode")
group.user_set.remove(user)
print("removed successfully")
except:
print("something went wrong")
pass
return render(request,"main/home.html", {"posts":posts})
我的html文件:
{% if user.is_staff %}
<form method="post">
{% csrf_token %}
<button type="submit" class="btn btn-warning" value={{post.id}} name="user_id">Ban User</button>
</form>
{% endif %}
如果用户被删除,我尝试打印消息,并且打印删除成功,然后我以该被禁止的用户身份登录,我仍然可以创建帖子,我是否错过了views.py中的某些内容?
我做了很少的研究,发现了错误,我无法禁止用户的原因是我将值作为 post.id 传递 当我传递post.author.id时,问题就解决了