From 4a2e7f1222e06ecf4912f3c4d0abd12d23eb13ba Mon Sep 17 00:00:00 2001 From: jlj <3042504846@qq.com> Date: Fri, 23 May 2025 16:51:34 +0800 Subject: [PATCH] =?UTF-8?q?=E5=8A=A0=E4=BA=86=E7=94=A8=E6=88=B7=E6=9D=83?= =?UTF-8?q?=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/daren_detail/views.py | 222 +++++++++++++++++++++++++------------ apps/user/views.py | 10 +- 2 files changed, 154 insertions(+), 78 deletions(-) diff --git a/apps/daren_detail/views.py b/apps/daren_detail/views.py index 87ee5b7..a882ea9 100644 --- a/apps/daren_detail/views.py +++ b/apps/daren_detail/views.py @@ -2202,18 +2202,35 @@ def get_private_pools(request): from .models import PrivateCreatorPool import json - # 获取用户ID - user_id = request.GET.get('user_id') - - if not user_id: + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: return JsonResponse({ - 'code': 400, - 'message': '缺少必要参数: user_id', + 'code': 401, + 'message': '用户未认证', 'data': None }, json_dumps_params={'ensure_ascii': False}) - # 查询用户的所有私有库 - pools = PrivateCreatorPool.objects.filter(user=user_id) + # 检查是否传入了user_id参数,如果传入且与当前用户不匹配,拒绝访问 + requested_user_id = request.GET.get('user_id') + if requested_user_id: + try: + requested_user_id = int(requested_user_id) + if requested_user_id != current_user.id: + return JsonResponse({ + 'code': 403, + 'message': '无权限访问其他用户的私有达人库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + except (ValueError, TypeError): + return JsonResponse({ + 'code': 400, + 'message': 'user_id参数格式错误', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + + # 查询当前用户的所有私有库 + pools = PrivateCreatorPool.objects.filter(user_id=current_user.id) pool_list = [] for pool in pools: @@ -2258,57 +2275,53 @@ def create_private_pool(request): from apps.user.models import User import json + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: + return JsonResponse({ + 'code': 401, + 'message': '用户未认证', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + data = json.loads(request.body) logger.info(f"创建私有达人库请求数据: {data}") - # 获取必要参数 - user_id = data.get('user_id') + # 检查是否传入了user_id参数,如果传入且与当前用户不匹配,拒绝访问 + requested_user_id = data.get('user_id') + if requested_user_id: + try: + requested_user_id = int(requested_user_id) + if requested_user_id != current_user.id: + return JsonResponse({ + 'code': 403, + 'message': '无权限为其他用户创建私有达人库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + except (ValueError, TypeError): + return JsonResponse({ + 'code': 400, + 'message': 'user_id参数格式错误', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + + # 获取必要参数(不再需要user_id参数) name = data.get('name') description = data.get('description') is_default = data.get('is_default', False) - logger.info(f"解析后的参数: user_id={user_id}, name={name}, description={description}, is_default={is_default}") + logger.info(f"解析后的参数: user_id={current_user.id}, name={name}, description={description}, is_default={is_default}") - if not user_id or not name: + if not name: return JsonResponse({ 'code': 400, - 'message': '缺少必要参数: user_id 或 name', + 'message': '缺少必要参数: name', 'data': None }, json_dumps_params={'ensure_ascii': False}) - # 查询用户信息 - try: - logger.info(f"尝试查询用户ID: {user_id}") - # 确保user_id是整数 - user_id = int(user_id) - user = User.objects.get(id=user_id) - logger.info(f"查询到的用户信息: {user}") - - # 验证user是否是User实例 - if not isinstance(user, User): - raise ValueError(f"查询结果不是User实例: {type(user)}") - - except ValueError as e: - logger.error(f"用户ID格式错误: {str(e)}") - return JsonResponse({ - 'code': 400, - 'message': f'用户ID格式错误: {str(e)}', - 'data': None - }, json_dumps_params={'ensure_ascii': False}) - except User.DoesNotExist: - logger.error(f"用户不存在: {user_id}") - return JsonResponse({ - 'code': 404, - 'message': f'找不到ID为 {user_id} 的用户', - 'data': None - }, json_dumps_params={'ensure_ascii': False}) - except Exception as e: - logger.error(f"查询用户时发生错误: {str(e)}") - raise - # 检查是否已存在同名私有库 try: - existing_pool = PrivateCreatorPool.objects.filter(user_id=user.id, name=name).first() + existing_pool = PrivateCreatorPool.objects.filter(user_id=current_user.id, name=name).first() if existing_pool: return JsonResponse({ 'code': 409, @@ -2321,12 +2334,12 @@ def create_private_pool(request): # 如果设置为默认库,则将其他库设为非默认 if is_default: - PrivateCreatorPool.objects.filter(user_id=user.id, is_default=True).update(is_default=False) + PrivateCreatorPool.objects.filter(user_id=current_user.id, is_default=True).update(is_default=False) # 创建私有库 try: private_pool = PrivateCreatorPool.objects.create( - user_id=user.id, # 使用user.id而不是user实例 + user_id=current_user.id, name=name, description=description, is_default=is_default @@ -2368,6 +2381,15 @@ def get_private_pool_creators(request, pool_id=None): from .models import PrivateCreatorPool, PrivateCreatorRelation import json + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: + return JsonResponse({ + 'code': 401, + 'message': '用户未认证', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + # 检查pool_id是否提供 if not pool_id: pool_id = request.GET.get('pool_id') @@ -2386,13 +2408,16 @@ def get_private_pool_creators(request, pool_id=None): status = request.GET.get('status', 'active') # 默认只获取活跃状态的达人 keyword = request.GET.get('keyword') - # 查询私有库信息 + # 查询私有库信息并验证所有权 try: - private_pool = PrivateCreatorPool.objects.get(id=pool_id) + private_pool = PrivateCreatorPool.objects.get( + id=pool_id, + user_id=current_user.id # 确保只能访问当前用户的私有库 + ) except PrivateCreatorPool.DoesNotExist: return JsonResponse({ 'code': 404, - 'message': f'找不到ID为 {pool_id} 的私有库', + 'message': f'找不到ID为 {pool_id} 的私有库或无权限访问', 'data': None }, json_dumps_params={'ensure_ascii': False}) @@ -2516,6 +2541,15 @@ def add_creator_to_private_pool(request): from .models import PrivateCreatorPool, PrivateCreatorRelation, CreatorProfile, PublicCreatorPool import json + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: + return JsonResponse({ + 'code': 401, + 'message': '用户未认证', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + data = json.loads(request.body) # 获取必要参数 @@ -2535,19 +2569,22 @@ def add_creator_to_private_pool(request): 'data': None }, json_dumps_params={'ensure_ascii': False}) - # 查询私有库信息 + # 查询私有库信息并验证所有权 try: - private_pool = PrivateCreatorPool.objects.get(id=pool_id) + private_pool = PrivateCreatorPool.objects.get( + id=pool_id, + user_id=current_user.id # 确保只能操作当前用户的私有库 + ) except PrivateCreatorPool.DoesNotExist: return JsonResponse({ 'code': 404, - 'message': f'找不到ID为 {pool_id} 的私有库', + 'message': f'找不到ID为 {pool_id} 的私有库或无权限访问', 'data': None }, json_dumps_params={'ensure_ascii': False}) # 添加达人到私有库 added_creators = [] - skipped_creators = [] + already_exists_count = 0 for cid in creator_ids: try: @@ -2564,7 +2601,7 @@ def add_creator_to_private_pool(request): ).exists() if exists: - # 如果已存在,则更新信息 + # 如果已存在,则更新信息但不显示在响应中 relation = PrivateCreatorRelation.objects.get( private_pool=private_pool, creator=creator @@ -2579,11 +2616,8 @@ def add_creator_to_private_pool(request): relation.save() - added_creators.append({ - 'id': creator.id, - 'name': creator.name, - 'action': '更新' - }) + # 计数已存在的达人,但不添加到响应列表中 + already_exists_count += 1 else: # 创建新的关联 relation = PrivateCreatorRelation.objects.create( @@ -2601,17 +2635,15 @@ def add_creator_to_private_pool(request): }) except CreatorProfile.DoesNotExist: - skipped_creators.append({ - 'id': cid, - 'reason': '达人不存在或已失效' - }) + # 如果达人不存在,直接跳过,不在响应中显示 + continue return JsonResponse({ 'code': 200, 'message': '操作成功', 'data': { 'added': added_creators, - 'skipped': skipped_creators, + 'already_exists_count': already_exists_count, 'pool': { 'id': private_pool.id, 'name': private_pool.name @@ -2640,6 +2672,15 @@ def update_creator_in_private_pool(request): from .models import PrivateCreatorRelation import json + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: + return JsonResponse({ + 'code': 401, + 'message': '用户未认证', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + data = json.loads(request.body) # 获取必要参数 @@ -2656,7 +2697,7 @@ def update_creator_in_private_pool(request): # 查询关联信息 try: - relation = PrivateCreatorRelation.objects.get(id=relation_id) + relation = PrivateCreatorRelation.objects.select_related('private_pool').get(id=relation_id) except PrivateCreatorRelation.DoesNotExist: return JsonResponse({ 'code': 404, @@ -2664,6 +2705,14 @@ def update_creator_in_private_pool(request): 'data': None }, json_dumps_params={'ensure_ascii': False}) + # 验证当前用户是否有权限操作此私有库 + if relation.private_pool.user_id != current_user.id: + return JsonResponse({ + 'code': 403, + 'message': '无权限操作其他用户的私有达人库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + # 更新信息 if status: relation.status = status @@ -2703,9 +2752,18 @@ def update_creator_in_private_pool(request): def remove_creator_from_private_pool(request): """从私有库中移除达人""" try: - from .models import PrivateCreatorRelation + from .models import PrivateCreatorRelation, PrivateCreatorPool import json + # 获取当前认证用户 + current_user = request.user + if not current_user.is_authenticated: + return JsonResponse({ + 'code': 401, + 'message': '用户未认证', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + data = json.loads(request.body) # 方式1:通过关联ID删除 @@ -2723,13 +2781,39 @@ def remove_creator_from_private_pool(request): # 检查参数有效性 if relation_ids: - # 通过关联ID删除 - query = PrivateCreatorRelation.objects.filter(id__in=relation_ids) + # 通过关联ID删除 - 需要验证每个关联的权限 + relations = PrivateCreatorRelation.objects.select_related('private_pool').filter(id__in=relation_ids) + + # 验证权限 + for relation in relations: + if relation.private_pool.user_id != current_user.id: + return JsonResponse({ + 'code': 403, + 'message': '无权限操作其他用户的私有达人库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + + query = relations result_type = 'relation_ids' result_value = relation_ids elif pool_id and creator_ids: - # 通过私有库ID和达人ID删除 + # 通过私有库ID和达人ID删除 - 先验证私有库权限 + try: + private_pool = PrivateCreatorPool.objects.get(id=pool_id) + if private_pool.user_id != current_user.id: + return JsonResponse({ + 'code': 403, + 'message': '无权限操作其他用户的私有达人库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + except PrivateCreatorPool.DoesNotExist: + return JsonResponse({ + 'code': 404, + 'message': f'找不到ID为 {pool_id} 的私有库', + 'data': None + }, json_dumps_params={'ensure_ascii': False}) + query = PrivateCreatorRelation.objects.filter( private_pool_id=pool_id, creator_id__in=creator_ids diff --git a/apps/user/views.py b/apps/user/views.py index 51c2e5d..c65cca7 100644 --- a/apps/user/views.py +++ b/apps/user/views.py @@ -152,16 +152,8 @@ def update_user_info(request): company = data.get('company') name = data.get('name') - # 获取当前认证用户 + # 获取当前认证用户(通过token验证) user = request.user - - # 如果请求中包含 user_id 且与当前用户不匹配,返回错误 - if 'user_id' in data and int(data['user_id']) != user.id: - return JsonResponse({ - 'code': 403, - 'message': '您只能修改自己的信息', - 'data': None - }, json_dumps_params={'ensure_ascii': False}) # 如果是首次登录,需要填写公司和姓名 if not company or not name: