diff --git a/db.sqlite3 b/db.sqlite3 index a324e3a..c570c39 100644 Binary files a/db.sqlite3 and b/db.sqlite3 differ diff --git a/elastic/templates/elastic/manage.html b/elastic/templates/elastic/manage.html index 9a969a1..b8f4a89 100644 --- a/elastic/templates/elastic/manage.html +++ b/elastic/templates/elastic/manage.html @@ -36,8 +36,8 @@ {% for it in items %} - - {{ it._id }} + + {{ it.id }} {% if it.image %} @@ -49,8 +49,8 @@ {{ it.writer_id }} - - + + {% endfor %} @@ -173,4 +173,4 @@ function doDelete(id){ } - \ No newline at end of file + diff --git a/elastic/views.py b/elastic/views.py index 4dd13de..261b39c 100644 --- a/elastic/views.py +++ b/elastic/views.py @@ -10,6 +10,7 @@ from django.conf import settings from django.http import JsonResponse from django.shortcuts import render from django.views.decorators.http import require_http_methods +from django.views.decorators.csrf import ensure_csrf_cookie from django.views.decorators.csrf import csrf_exempt from .es_connect import ( create_index_with_mapping, @@ -95,8 +96,17 @@ def get_all_data(request): @require_http_methods(["DELETE"]) @csrf_exempt def delete_data(request, doc_id): - """删除数据""" + """删除数据(需登录;管理员或作者本人)""" + if not request.session.get("user_id"): + return JsonResponse({"status": "error", "message": "未登录"}, status=401) try: + existing = get_by_id(doc_id) + if not existing: + return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) + is_admin = (request.session.get("permission", 1) == 0) + is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): + return JsonResponse({"status": "error", "message": "无权限"}, status=403) success = delete_by_id(doc_id) if success: return JsonResponse({"status": "success", "message": "数据删除成功"}) @@ -109,10 +119,35 @@ def delete_data(request, doc_id): @require_http_methods(["PUT"]) @csrf_exempt def update_data(request, doc_id): - """更新数据""" + """更新数据(需登录;管理员或作者本人)""" + if not request.session.get("user_id"): + return JsonResponse({"status": "error", "message": "未登录"}, status=401) try: - data = json.loads(request.body.decode('utf-8')) - success = update_by_id(doc_id, data) + payload = json.loads(request.body.decode('utf-8')) + except Exception: + return JsonResponse({"status": "error", "message": "JSON无效"}, status=400) + try: + existing = get_by_id(doc_id) + if not existing: + return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) + is_admin = (request.session.get("permission", 1) == 0) + is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): + return JsonResponse({"status": "error", "message": "无权限"}, status=403) + + updated = {} + if "writer_id" in payload: + updated["writer_id"] = payload["writer_id"] + if "image" in payload: + updated["image"] = payload["image"] + if "data" in payload: + v = payload["data"] + if isinstance(v, dict): + updated["data"] = json.dumps(v, ensure_ascii=False) + else: + updated["data"] = str(v) + + success = update_by_id(doc_id, updated) if success: return JsonResponse({"status": "success", "message": "数据更新成功"}) else: @@ -265,13 +300,15 @@ def ocr_and_extract_info(image_path: str): return parse_response(response_text) -# 上传页面 @require_http_methods(["GET"]) def upload_page(request): - # if not request.session.get("user_id"): - # from django.shortcuts import redirect - # return redirect("/accounts/login/") - return render(request, "elastic/upload.html") + session_user_id = request.session.get("user_id") + if session_user_id is None: + from django.shortcuts import redirect + return redirect("/accounts/login/") + user_id_qs = request.GET.get("user_id") + context = {"user_id": user_id_qs or session_user_id} + return render(request, "elastic/upload.html", context) # 上传并识别(不入库) @@ -341,36 +378,26 @@ def confirm(request): @require_http_methods(["GET"]) +@ensure_csrf_cookie def manage_page(request): - if not request.session.get("user_id"): + session_user_id = request.session.get("user_id") + if session_user_id is None: from django.shortcuts import redirect return redirect("/accounts/login/") - if request.session.get("permission", 1) != 0: - from django.http import HttpResponseForbidden - return HttpResponseForbidden("forbidden") - results = search_all() - return render(request, "elastic/manage.html", {"items": results}) - - -@require_http_methods(["GET"]) -def manage_page(request): - if not request.session.get("user_id"): - from django.shortcuts import redirect - return redirect("/accounts/login/") - if request.session.get("permission", 1) != 0: - from django.http import HttpResponseForbidden - return HttpResponseForbidden("forbidden") - results = search_all() - expanded = [] - for item in results: - try: - data_obj = json.loads(item.get("data", "{}")) if isinstance(item.get("data"), str) else {} - except Exception: - data_obj = {} - expanded.append({ - "_id": item.get("_id", ""), - "writer_id": item.get("writer_id", ""), - "image": item.get("image", ""), - "data": data_obj, + is_admin = (request.session.get("permission", 1) == 0) + raw_results = search_all() + if not is_admin: + uid = str(session_user_id) + raw_results = [r for r in raw_results if str(r.get("writer_id", "")) == uid] + # 规范化键,避免模板点号访问下划线前缀字段 + results = [] + for r in raw_results: + results.append({ + "id": r.get("_id", ""), + "writer_id": r.get("writer_id", ""), + "image": r.get("image", ""), + "data": r.get("data", ""), }) - return render(request, "elastic/manage.html", {"items": expanded}) + user_id_qs = request.GET.get("user_id") + context = {"items": results, "user_id": user_id_qs or session_user_id} + return render(request, "elastic/manage.html", context)