开启CSRF防跨站点攻击
首先在settings.py的MIDDLEWARE_CLASSES开启相关中间件,
默认已开启
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
# Uncomment the next line for simple clickjacking protection:
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
然后在各种模板的<form>后面加入
{% csrf_token %}
第一种方法:
然后在views.py的相关render_to_response中添加
context_instance=RequestContext(request),当然,要先导入相关库:
from django.template import RequestContext
具体用法,请看下面代码部分
相关代码如下:
views.py
def useradd(request):
'''添加用户'''
username = request.session.get('username',None)
userpermissions = User.objects.get(name = username).permissions
departments = Department.objects.all()
usergroups = Usergroup.objects.all()
if request.method == "POST":
fr = UserForm(request.POST)
if fr.is_valid():
User.objects.create(
user = fr.cleaned_data['user'],
passwd = fr.cleaned_data['passwd'],
name = fr.cleaned_data['name'],
post = request.POST.get(u'select1'),
phone = fr.cleaned_data['phone'],
email = fr.cleaned_data['email'],
qq = fr.cleaned_data['qq'],
permissions = request.POST.get(u'select2','-1'), #使用此request后,在forms.py中,不可出现此字段,否则会出错
)
msg = '用户添加成功!'
return render_to_response('msg.html',locals(),context_instance=RequestContext(request)) #跳转到msg.html页面中,并传递msg变量过去
else:
fr = UserForm()
return render_to_response('useradd.html',locals(),context_instance=RequestContext(request))
模板:
<form action="" method="post">{% csrf_token %}
<table>
<tr>
<td width="70px">帐号:</td>
<td >{{ fr.user }} </td>
</tr>
<tr>
<td width="70px">姓名:</td>
<td >{{ fr.name }} </td>
</tr>
其实刚才那{% csrf_token %} 代码,无非就是在form中加入隐藏的value,然后中间件'django.middleware.csrf.CsrfViewMiddleware',
在后台对这个KEY进行验证,如果验证一致,就通过,不一致就排错,这样可以防止跨站点攻击了,如下图所示
第二种方法:
在views.py中使用render,如:
注意最后一行的区别:return
render(request,
'host.html'
,
locals
())
from django.shortcuts import render
def host(request):
username = request.session.get('username',None) #获取登陆的用户名
if username != None: #假如username 不等于 none,即是用户处于登陆状态,则执行下面的请求权限的语句,如果没有登陆,则不请求权限
userpermissions = User.objects.get(name = username).permissions #获取登陆的用户权限
else:
return HttpResponseRedirect('/login.html') #如果用户没有登陆此系统,则跳转到登陆页
iplist = IP.objects.all() #获取所有的IP信息,最后通过下面代码发送前端,端用for把这些信息遍历出来
return render(request,'host.html',locals())