实际上,使用GET方法删除对象会使您容易受到
CSRF attacks的攻击.
DeleteView仅在POST时删除,并在GET上显示确认页面.
您的代码应该在views.py中看起来像这样:
from django.views.generic import DeleteView
class PostDelete(DeleteView):
model = Post
success_url = reverse_lazy('posts.views.all_posts')
在urls.py中:
url(r'^delete/(?P\d+)/$',PostDelete.as_view(),name='entry_delete'),
您的表单(不使用确认模板.文档中有一个确认模板示例):
{% csrf_token %}
如果您没有使用确认模板,请确保将表单的action属性指向DeleteView(this is why).
为了确保用户删除帖子是拥有它的用户,我喜欢使用mixins.假设你的Post模型有一个指向User的created_by外键,你可以写一个mixin,如:
from django.core.exceptions import PermissionDenied
class PermissionMixin(object):
def get_object(self,*args,**kwargs):
obj = super(PermissionMixin,self).get_object(*args,**kwargs)
if not obj.created_by == self.request.user:
raise PermissionDenied()
else:
return obj
最后,你的DeleteView应该从这个mixin继承:
class PostDelete(PermissionMixin,DeleteView):
model = Post
success_url = reverse_lazy('posts.views.all_posts')