新增“数据编辑”

2025-11-13 19:31:15 +08:00
parent cf57f981c0
commit 127f5c5926
3 changed files with 70 additions and 43 deletions
--- a/db.sqlite3
+++ b/db.sqlite3
--- a/elastic/templates/elastic/manage.html
+++ b/elastic/templates/elastic/manage.html
@@ -36,8 +36,8 @@
    </thead>
    <tbody>
      {% for it in items %}
-      <tr data-id="{{ it._id }}" data-writer="{{ it.writer_id }}" data-image="{{ it.image }}">
-        <td style="max-width:140px; word-break:break-all;">{{ it._id }}</td>
+      <tr data-id="{{ it.id }}" data-writer="{{ it.writer_id }}" data-image="{{ it.image }}">
+        <td style="max-width:140px; word-break:break-all;">{{ it.id }}</td>
        <td>
          {% if it.image %}
          <img src="/media/{{ it.image }}" onerror="this.src='';" />
@@ -49,8 +49,8 @@
        </td>
        <td>{{ it.writer_id }}</td>
        <td>
-          <button class="btn btn-primary" onclick="openEdit('{{ it._id }}')">编辑</button>
-          <button class="btn btn-danger" onclick="doDelete('{{ it._id }}')">删除</button>
+          <button class="btn btn-primary" onclick="openEdit('{{ it.id }}')">编辑</button>
+          <button class="btn btn-danger" onclick="doDelete('{{ it.id }}')">删除</button>
        </td>
      </tr>
      {% endfor %}
--- a/elastic/views.py
+++ b/elastic/views.py
@@ -10,6 +10,7 @@ from django.conf import settings
 from django.http import JsonResponse
 from django.shortcuts import render
 from django.views.decorators.http import require_http_methods
+from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.decorators.csrf import csrf_exempt
 from .es_connect import (
    create_index_with_mapping, 
@@ -95,8 +96,17 @@ def get_all_data(request):
@require_http_methods(["DELETE"])
@csrf_exempt
 def delete_data(request, doc_id):
-    """删除数据"""
+    """删除数据（需登录；管理员或作者本人）"""
+    if not request.session.get("user_id"):
+        return JsonResponse({"status": "error", "message": "未登录"}, status=401)
    try:
+        existing = get_by_id(doc_id)
+        if not existing:
+            return JsonResponse({"status": "error", "message": "数据不存在"}, status=404)
+        is_admin = (request.session.get("permission", 1) == 0)
+        is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id"))
+        if not (is_admin or is_owner):
+            return JsonResponse({"status": "error", "message": "无权限"}, status=403)
        success = delete_by_id(doc_id)
        if success:
            return JsonResponse({"status": "success", "message": "数据删除成功"})
@@ -109,10 +119,35 @@ def delete_data(request, doc_id):
@require_http_methods(["PUT"])
@csrf_exempt
 def update_data(request, doc_id):
-    """更新数据"""
+    """更新数据（需登录；管理员或作者本人）"""
+    if not request.session.get("user_id"):
+        return JsonResponse({"status": "error", "message": "未登录"}, status=401)
    try:
-        data = json.loads(request.body.decode('utf-8'))
-        success = update_by_id(doc_id, data)
+        payload = json.loads(request.body.decode('utf-8'))
+    except Exception:
+        return JsonResponse({"status": "error", "message": "JSON无效"}, status=400)
+    try:
+        existing = get_by_id(doc_id)
+        if not existing:
+            return JsonResponse({"status": "error", "message": "数据不存在"}, status=404)
+        is_admin = (request.session.get("permission", 1) == 0)
+        is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id"))
+        if not (is_admin or is_owner):
+            return JsonResponse({"status": "error", "message": "无权限"}, status=403)
+
+        updated = {}
+        if "writer_id" in payload:
+            updated["writer_id"] = payload["writer_id"]
+        if "image" in payload:
+            updated["image"] = payload["image"]
+        if "data" in payload:
+            v = payload["data"]
+            if isinstance(v, dict):
+                updated["data"] = json.dumps(v, ensure_ascii=False)
+            else:
+                updated["data"] = str(v)
+
+        success = update_by_id(doc_id, updated)
        if success:
            return JsonResponse({"status": "success", "message": "数据更新成功"})
        else:
@@ -265,13 +300,15 @@ def ocr_and_extract_info(image_path: str):
    return parse_response(response_text)


-# 上传页面
@require_http_methods(["GET"])
 def upload_page(request):
-    # if not request.session.get("user_id"):
-    #     from django.shortcuts import redirect
-    #     return redirect("/accounts/login/")
-    return render(request, "elastic/upload.html")
+    session_user_id = request.session.get("user_id")
+    if session_user_id is None:
+        from django.shortcuts import redirect
+        return redirect("/accounts/login/")
+    user_id_qs = request.GET.get("user_id")
+    context = {"user_id": user_id_qs or session_user_id}
+    return render(request, "elastic/upload.html", context)


 # 上传并识别（不入库）
@@ -341,36 +378,26 @@ def confirm(request):


@require_http_methods(["GET"])
+@ensure_csrf_cookie
 def manage_page(request):
-    if not request.session.get("user_id"):
+    session_user_id = request.session.get("user_id")
+    if session_user_id is None:
        from django.shortcuts import redirect
        return redirect("/accounts/login/")
-    if request.session.get("permission", 1) != 0:
-        from django.http import HttpResponseForbidden
-        return HttpResponseForbidden("forbidden")
-    results = search_all()
-    return render(request, "elastic/manage.html", {"items": results})
-
-
-@require_http_methods(["GET"])
-def manage_page(request):
-    if not request.session.get("user_id"):
-        from django.shortcuts import redirect
-        return redirect("/accounts/login/")
-    if request.session.get("permission", 1) != 0:
-        from django.http import HttpResponseForbidden
-        return HttpResponseForbidden("forbidden")
-    results = search_all()
-    expanded = []
-    for item in results:
-        try:
-            data_obj = json.loads(item.get("data", "{}")) if isinstance(item.get("data"), str) else {}
-        except Exception:
-            data_obj = {}
-        expanded.append({
-            "_id": item.get("_id", ""),
-            "writer_id": item.get("writer_id", ""),
-            "image": item.get("image", ""),
-            "data": data_obj,
+    is_admin = (request.session.get("permission", 1) == 0)
+    raw_results = search_all()
+    if not is_admin:
+        uid = str(session_user_id)
+        raw_results = [r for r in raw_results if str(r.get("writer_id", "")) == uid]
+    # 规范化键，避免模板点号访问下划线前缀字段
+    results = []
+    for r in raw_results:
+        results.append({
+            "id": r.get("_id", ""),
+            "writer_id": r.get("writer_id", ""),
+            "image": r.get("image", ""),
+            "data": r.get("data", ""),
        })
-    return render(request, "elastic/manage.html", {"items": expanded})
+    user_id_qs = request.GET.get("user_id")
+    context = {"items": results, "user_id": user_id_qs or session_user_id}
+    return render(request, "elastic/manage.html", context)