擅长:python、mysql、java
<p>这取决于你控制谁能做什么,在哪里-Django猜不到这一点。这里有两种解决方案:</p>
<p>1/保持url不变,但检查是否允许当前用户(<code>request.user</code>)编辑此配置文件:</p>
<pre><code>def update_profile(request, profile_id):
# assume that profile as a onetone to User
profile = get_object_or_404(pk=profile_id)
if request.user != profile.user:
return HttpResponseForbidden()
# your code here
</code></pre>
<p>2/从url中删除配置文件id,并使用<code>request.user</code>获取当前用户的配置文件</p>
<pre><code>def update_profile(request, profile_id):
# assume that profile as a onetone to User
profile = request.user.get_profile()
# your code here
</code></pre>