首先在settings.py的MIDDLEWARE_CLASSES开启相关中间件,默认已开启
MIDDLEWARE_CLASSES = ( 'django.middleware.common.CommonMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', # Uncomment the next line for simple clickjacking protection: 'django.middleware.clickjacking.XFrameOptionsMiddleware', )
然后在各种模板的<form>后面加入
{% csrf_token %}
第一种方法:
然后在views.py的相关render_to_response中添加context_instance=RequestContext(request),当然,要先导入相关库:
from django.template import RequestContext
具体用法,请看下面代码部分
相关代码如下:
views.py
def useradd(request): '''添加用户''' username = request.session.get('username',None) userpermissions = User.objects.get(name = username).permissions departments = Department.objects.all() usergroups = Usergroup.objects.all() if request.method == "POST": fr = UserForm(request.POST) if fr.is_valid(): User.objects.create( user = fr.cleaned_data['user'], passwd = fr.cleaned_data['passwd'], name = fr.cleaned_data['name'], post = request.POST.get(u'select1'), phone = fr.cleaned_data['phone'], email = fr.cleaned_data['email'], qq = fr.cleaned_data['qq'], permissions = request.POST.get(u'select2','-1'), #使用此request后,在forms.py中,不可出现此字段,否则会出错 ) msg = '用户添加成功!' return render_to_response('msg.html',locals(),context_instance=RequestContext(request)) #跳转到msg.html页面中,并传递msg变量过去 else: fr = UserForm() return render_to_response('useradd.html',locals(),context_instance=RequestContext(request))
模板:
<form action="" method="post">{% csrf_token %} <table> <tr> <td width="70px">帐号:</td> <td >{{ fr.user }} </td> </tr> <tr> <td width="70px">姓名:</td> <td >{{ fr.name }} </td> </tr>
其实刚才那{% csrf_token %} 代码,无非就是在form中加入隐藏的value,然后中间件'django.middleware.csrf.CsrfViewMiddleware',
在后台对这个KEY进行验证,如果验证一致,就通过,不一致就排错,这样可以防止跨站点攻击了,如下图所示


第二种方法:
在views.py中使用render,如:
注意最后一行的区别:return
render(request,
'host.html'
,
locals
())
from django.shortcuts import render def host(request): username = request.session.get('username',None) #获取登陆的用户名 if username != None: #假如username 不等于 none,即是用户处于登陆状态,则执行下面的请求权限的语句,如果没有登陆,则不请求权限 userpermissions = User.objects.get(name = username).permissions #获取登陆的用户权限 else: return HttpResponseRedirect('/login.html') #如果用户没有登陆此系统,则跳转到登陆页 iplist = IP.objects.all() #获取所有的IP信息,最后通过下面代码发送前端,端用for把这些信息遍历出来 return render(request,'host.html',locals())
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏