J/daren
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

加了用户权限

Browse Source
This commit is contained in:
jlj 2025-05-23 16:51:34 +08:00
parent 50c2191a65
commit 4a2e7f1222
2 changed files with 154 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
apps/daren_detail/views.py
View File

@ -2202,18 +2202,35 @@ def get_private_pools(request):
from .models import PrivateCreatorPool from .models import PrivateCreatorPool
import json import json
# 获取用户ID # 获取当前认证用户
user_id = request.GET.get('user_id') current_user = request.user
if not current_user.is_authenticated:
if not user_id:
return JsonResponse({ return JsonResponse({
'code': 400, 'code': 401,
'message': '缺少必要参数: user_id', 'message': '用户未认证',
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
# 查询用户的所有私有库 # 检查是否传入了user_id参数如果传入且与当前用户不匹配拒绝访问
pools = PrivateCreatorPool.objects.filter(user=user_id) requested_user_id = request.GET.get('user_id')
if requested_user_id:
try:
requested_user_id = int(requested_user_id)
if requested_user_id != current_user.id:
return JsonResponse({
'code': 403,
'message': '无权限访问其他用户的私有达人库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
except (ValueError, TypeError):
return JsonResponse({
'code': 400,
'message': 'user_id参数格式错误',
'data': None
}, json_dumps_params={'ensure_ascii': False})
# 查询当前用户的所有私有库
pools = PrivateCreatorPool.objects.filter(user_id=current_user.id)
pool_list = [] pool_list = []
for pool in pools: for pool in pools:
@ -2258,57 +2275,53 @@ def create_private_pool(request):
from apps.user.models import User from apps.user.models import User
import json import json
# 获取当前认证用户
current_user = request.user
if not current_user.is_authenticated:
return JsonResponse({
'code': 401,
'message': '用户未认证',
'data': None
}, json_dumps_params={'ensure_ascii': False})
data = json.loads(request.body) data = json.loads(request.body)
logger.info(f"创建私有达人库请求数据: {data}") logger.info(f"创建私有达人库请求数据: {data}")
# 获取必要参数 # 检查是否传入了user_id参数如果传入且与当前用户不匹配拒绝访问
user_id = data.get('user_id') requested_user_id = data.get('user_id')
if requested_user_id:
try:
requested_user_id = int(requested_user_id)
if requested_user_id != current_user.id:
return JsonResponse({
'code': 403,
'message': '无权限为其他用户创建私有达人库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
except (ValueError, TypeError):
return JsonResponse({
'code': 400,
'message': 'user_id参数格式错误',
'data': None
}, json_dumps_params={'ensure_ascii': False})
# 获取必要参数不再需要user_id参数
name = data.get('name') name = data.get('name')
description = data.get('description') description = data.get('description')
is_default = data.get('is_default', False) is_default = data.get('is_default', False)
logger.info(f"解析后的参数: user_id={user_id}, name={name}, description={description}, is_default={is_default}") logger.info(f"解析后的参数: user_id={current_user.id}, name={name}, description={description}, is_default={is_default}")
if not user_id or not name: if not name:
return JsonResponse({ return JsonResponse({
'code': 400, 'code': 400,
'message': '缺少必要参数: user_id 或 name', 'message': '缺少必要参数: name',
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
# 查询用户信息
try:
logger.info(f"尝试查询用户ID: {user_id}")
# 确保user_id是整数
user_id = int(user_id)
user = User.objects.get(id=user_id)
logger.info(f"查询到的用户信息: {user}")
# 验证user是否是User实例
if not isinstance(user, User):
raise ValueError(f"查询结果不是User实例: {type(user)}")
except ValueError as e:
logger.error(f"用户ID格式错误: {str(e)}")
return JsonResponse({
'code': 400,
'message': f'用户ID格式错误: {str(e)}',
'data': None
}, json_dumps_params={'ensure_ascii': False})
except User.DoesNotExist:
logger.error(f"用户不存在: {user_id}")
return JsonResponse({
'code': 404,
'message': f'找不到ID为 {user_id} 的用户',
'data': None
}, json_dumps_params={'ensure_ascii': False})
except Exception as e:
logger.error(f"查询用户时发生错误: {str(e)}")
raise
# 检查是否已存在同名私有库 # 检查是否已存在同名私有库
try: try:
existing_pool = PrivateCreatorPool.objects.filter(user_id=user.id, name=name).first() existing_pool = PrivateCreatorPool.objects.filter(user_id=current_user.id, name=name).first()
if existing_pool: if existing_pool:
return JsonResponse({ return JsonResponse({
'code': 409, 'code': 409,
@ -2321,12 +2334,12 @@ def create_private_pool(request):
# 如果设置为默认库,则将其他库设为非默认 # 如果设置为默认库,则将其他库设为非默认
if is_default: if is_default:
PrivateCreatorPool.objects.filter(user_id=user.id, is_default=True).update(is_default=False) PrivateCreatorPool.objects.filter(user_id=current_user.id, is_default=True).update(is_default=False)
# 创建私有库 # 创建私有库
try: try:
private_pool = PrivateCreatorPool.objects.create( private_pool = PrivateCreatorPool.objects.create(
user_id=user.id, # 使用user.id而不是user实例 user_id=current_user.id,
name=name, name=name,
description=description, description=description,
is_default=is_default is_default=is_default
@ -2368,6 +2381,15 @@ def get_private_pool_creators(request, pool_id=None):
from .models import PrivateCreatorPool, PrivateCreatorRelation from .models import PrivateCreatorPool, PrivateCreatorRelation
import json import json
# 获取当前认证用户
current_user = request.user
if not current_user.is_authenticated:
return JsonResponse({
'code': 401,
'message': '用户未认证',
'data': None
}, json_dumps_params={'ensure_ascii': False})
# 检查pool_id是否提供 # 检查pool_id是否提供
if not pool_id: if not pool_id:
pool_id = request.GET.get('pool_id') pool_id = request.GET.get('pool_id')
@ -2386,13 +2408,16 @@ def get_private_pool_creators(request, pool_id=None):
status = request.GET.get('status', 'active') # 默认只获取活跃状态的达人 status = request.GET.get('status', 'active') # 默认只获取活跃状态的达人
keyword = request.GET.get('keyword') keyword = request.GET.get('keyword')
# 查询私有库信息 # 查询私有库信息并验证所有权
try: try:
private_pool = PrivateCreatorPool.objects.get(id=pool_id) private_pool = PrivateCreatorPool.objects.get(
id=pool_id,
user_id=current_user.id # 确保只能访问当前用户的私有库
)
except PrivateCreatorPool.DoesNotExist: except PrivateCreatorPool.DoesNotExist:
return JsonResponse({ return JsonResponse({
'code': 404, 'code': 404,
'message': f'找不到ID为 {pool_id} 的私有库', 'message': f'找不到ID为 {pool_id} 的私有库或无权限访问',
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
@ -2516,6 +2541,15 @@ def add_creator_to_private_pool(request):
from .models import PrivateCreatorPool, PrivateCreatorRelation, CreatorProfile, PublicCreatorPool from .models import PrivateCreatorPool, PrivateCreatorRelation, CreatorProfile, PublicCreatorPool
import json import json
# 获取当前认证用户
current_user = request.user
if not current_user.is_authenticated:
return JsonResponse({
'code': 401,
'message': '用户未认证',
'data': None
}, json_dumps_params={'ensure_ascii': False})
data = json.loads(request.body) data = json.loads(request.body)
# 获取必要参数 # 获取必要参数
@ -2535,19 +2569,22 @@ def add_creator_to_private_pool(request):
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
# 查询私有库信息 # 查询私有库信息并验证所有权
try: try:
private_pool = PrivateCreatorPool.objects.get(id=pool_id) private_pool = PrivateCreatorPool.objects.get(
id=pool_id,
user_id=current_user.id # 确保只能操作当前用户的私有库
)
except PrivateCreatorPool.DoesNotExist: except PrivateCreatorPool.DoesNotExist:
return JsonResponse({ return JsonResponse({
'code': 404, 'code': 404,
'message': f'找不到ID为 {pool_id} 的私有库', 'message': f'找不到ID为 {pool_id} 的私有库或无权限访问',
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
# 添加达人到私有库 # 添加达人到私有库
added_creators = [] added_creators = []
skipped_creators = [] already_exists_count = 0
for cid in creator_ids: for cid in creator_ids:
try: try:
@ -2564,7 +2601,7 @@ def add_creator_to_private_pool(request):
).exists() ).exists()
if exists: if exists:
# 如果已存在,则更新信息 # 如果已存在,则更新信息但不显示在响应中
relation = PrivateCreatorRelation.objects.get( relation = PrivateCreatorRelation.objects.get(
private_pool=private_pool, private_pool=private_pool,
creator=creator creator=creator
@ -2579,11 +2616,8 @@ def add_creator_to_private_pool(request):
relation.save() relation.save()
added_creators.append({ # 计数已存在的达人,但不添加到响应列表中
'id': creator.id, already_exists_count += 1
'name': creator.name,
'action': '更新'
})
else: else:
# 创建新的关联 # 创建新的关联
relation = PrivateCreatorRelation.objects.create( relation = PrivateCreatorRelation.objects.create(
@ -2601,17 +2635,15 @@ def add_creator_to_private_pool(request):
}) })
except CreatorProfile.DoesNotExist: except CreatorProfile.DoesNotExist:
skipped_creators.append({ # 如果达人不存在,直接跳过,不在响应中显示
'id': cid, continue
'reason': '达人不存在或已失效'
})
return JsonResponse({ return JsonResponse({
'code': 200, 'code': 200,
'message': '操作成功', 'message': '操作成功',
'data': { 'data': {
'added': added_creators, 'added': added_creators,
'skipped': skipped_creators, 'already_exists_count': already_exists_count,
'pool': { 'pool': {
'id': private_pool.id, 'id': private_pool.id,
'name': private_pool.name 'name': private_pool.name
@ -2640,6 +2672,15 @@ def update_creator_in_private_pool(request):
from .models import PrivateCreatorRelation from .models import PrivateCreatorRelation
import json import json
# 获取当前认证用户
current_user = request.user
if not current_user.is_authenticated:
return JsonResponse({
'code': 401,
'message': '用户未认证',
'data': None
}, json_dumps_params={'ensure_ascii': False})
data = json.loads(request.body) data = json.loads(request.body)
# 获取必要参数 # 获取必要参数
@ -2656,7 +2697,7 @@ def update_creator_in_private_pool(request):
# 查询关联信息 # 查询关联信息
try: try:
relation = PrivateCreatorRelation.objects.get(id=relation_id) relation = PrivateCreatorRelation.objects.select_related('private_pool').get(id=relation_id)
except PrivateCreatorRelation.DoesNotExist: except PrivateCreatorRelation.DoesNotExist:
return JsonResponse({ return JsonResponse({
'code': 404, 'code': 404,
@ -2664,6 +2705,14 @@ def update_creator_in_private_pool(request):
'data': None 'data': None
}, json_dumps_params={'ensure_ascii': False}) }, json_dumps_params={'ensure_ascii': False})
# 验证当前用户是否有权限操作此私有库
if relation.private_pool.user_id != current_user.id:
return JsonResponse({
'code': 403,
'message': '无权限操作其他用户的私有达人库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
# 更新信息 # 更新信息
if status: if status:
relation.status = status relation.status = status
@ -2703,9 +2752,18 @@ def update_creator_in_private_pool(request):
def remove_creator_from_private_pool(request): def remove_creator_from_private_pool(request):
"""从私有库中移除达人""" """从私有库中移除达人"""
try: try:
from .models import PrivateCreatorRelation from .models import PrivateCreatorRelation, PrivateCreatorPool
import json import json
# 获取当前认证用户
current_user = request.user
if not current_user.is_authenticated:
return JsonResponse({
'code': 401,
'message': '用户未认证',
'data': None
}, json_dumps_params={'ensure_ascii': False})
data = json.loads(request.body) data = json.loads(request.body)
# 方式1通过关联ID删除 # 方式1通过关联ID删除
@ -2723,13 +2781,39 @@ def remove_creator_from_private_pool(request):
# 检查参数有效性 # 检查参数有效性
if relation_ids: if relation_ids:
# 通过关联ID删除 # 通过关联ID删除 - 需要验证每个关联的权限
query = PrivateCreatorRelation.objects.filter(id__in=relation_ids) relations = PrivateCreatorRelation.objects.select_related('private_pool').filter(id__in=relation_ids)
# 验证权限
for relation in relations:
if relation.private_pool.user_id != current_user.id:
return JsonResponse({
'code': 403,
'message': '无权限操作其他用户的私有达人库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
query = relations
result_type = 'relation_ids' result_type = 'relation_ids'
result_value = relation_ids result_value = relation_ids
elif pool_id and creator_ids: elif pool_id and creator_ids:
# 通过私有库ID和达人ID删除 # 通过私有库ID和达人ID删除 - 先验证私有库权限
try:
private_pool = PrivateCreatorPool.objects.get(id=pool_id)
if private_pool.user_id != current_user.id:
return JsonResponse({
'code': 403,
'message': '无权限操作其他用户的私有达人库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
except PrivateCreatorPool.DoesNotExist:
return JsonResponse({
'code': 404,
'message': f'找不到ID为 {pool_id} 的私有库',
'data': None
}, json_dumps_params={'ensure_ascii': False})
query = PrivateCreatorRelation.objects.filter( query = PrivateCreatorRelation.objects.filter(
private_pool_id=pool_id, private_pool_id=pool_id,
creator_id__in=creator_ids creator_id__in=creator_ids

10
apps/user/views.py
View File

@ -152,17 +152,9 @@ def update_user_info(request):
company = data.get('company') company = data.get('company')
name = data.get('name') name = data.get('name')
# 获取当前认证用户 # 获取当前认证用户通过token验证
user = request.user user = request.user
# 如果请求中包含 user_id 且与当前用户不匹配,返回错误
if 'user_id' in data and int(data['user_id']) != user.id:
return JsonResponse({
'code': 403,
'message': '您只能修改自己的信息',
'data': None
}, json_dumps_params={'ensure_ascii': False})
# 如果是首次登录,需要填写公司和姓名 # 如果是首次登录,需要填写公司和姓名
if not company or not name: if not company or not name:
return JsonResponse({ return JsonResponse({