diff --git a/db.sqlite3 b/db.sqlite3 index e9b53cf..bc4f13b 100644 Binary files a/db.sqlite3 and b/db.sqlite3 differ diff --git a/elastic/es_connect.py b/elastic/es_connect.py index 47afdf5..47e4437 100644 --- a/elastic/es_connect.py +++ b/elastic/es_connect.py @@ -230,7 +230,7 @@ def update_by_id(doc_id, updated_data): try: # 获取文档 achievement = AchievementDocument.get(id=doc_id) - + print(doc_id) # 更新字段 if 'writer_id' in updated_data: achievement.writer_id = updated_data['writer_id'] @@ -327,6 +327,26 @@ def write_user_data(user_data): print(f"用户数据写入失败: {str(e)}") return False +def get_user_by_id(user_id): + try: + search = UserDocument.search() + search = search.query("term", user_id=user_id) + response = search.execute() + + if response.hits: + hit = response.hits[0] + return { + "user_id": hit.user_id, + "username": hit.username, + "password": hit.password, + "permission": hit.permission + } + return None + + except Exception as e: + print(f"获取用户数据失败: {str(e)}") + return None + def get_user_by_username(username): """ 根据用户名获取用户数据 diff --git a/elastic/indexes.py b/elastic/indexes.py index 8deb548..13b4ba0 100644 --- a/elastic/indexes.py +++ b/elastic/indexes.py @@ -1,5 +1,5 @@ -INDEX_NAME = "wordsearch266666789" -USER_NAME = "users_123" +INDEX_NAME = "wordsearch266666" +USER_NAME = "users" ACHIEVEMENT_INDEX_NAME = INDEX_NAME USER_INDEX_NAME = USER_NAME GLOBAL_INDEX_NAME = "global11111" diff --git a/elastic/views.py b/elastic/views.py index 45d94f7..d9d1037 100644 --- a/elastic/views.py +++ b/elastic/views.py @@ -84,21 +84,32 @@ def get_all_data(request): @csrf_exempt def delete_data(request, doc_id): """删除数据(需登录;管理员或作者本人)""" - if not request.session.get("user_id"): + request_user=request.session.get("user_id") + # request_admin=request.session.get("permisssion") + if request_user is None: return JsonResponse({"status": "error", "message": "未登录"}, status=401) + + try: existing = get_by_id(doc_id) + user_existing=get_user_by_id(request_user) + if not existing: return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) - is_admin = (request.session.get("permission", 1) == 0) + + is_admin = (user_existing.get('permission') ) == 0 is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): return JsonResponse({"status": "error", "message": "无权限"}, status=403) success = delete_by_id(doc_id) + if success: return JsonResponse({"status": "success", "message": "数据删除成功"}) else: return JsonResponse({"status": "error", "message": "数据删除失败"}, status=500) + + except Exception as e: return JsonResponse({"status": "error", "message": str(e)}, status=500) @@ -107,18 +118,24 @@ def delete_data(request, doc_id): @csrf_exempt def update_data(request, doc_id): """更新数据(需登录;管理员或作者本人)""" - # if not request.session.get("user_id"): - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) + request_user = request.session.get("user_id") + if request_user is None: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) + try: payload = json.loads(request.body.decode('utf-8')) except Exception: return JsonResponse({"status": "error", "message": "JSON无效"}, status=400) try: existing = get_by_id(doc_id) + user_existing = get_user_by_id(request_user) + if not existing: return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) - is_admin = (request.session.get("permission", 1) == 0) + + is_admin = (user_existing.get('permission')) == 0 is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): return JsonResponse({"status": "error", "message": "无权限"}, status=403) @@ -306,14 +323,14 @@ def upload_page(request): # 上传并识别(不入库) @require_http_methods(["POST"]) def upload(request): - # if not request.session.get("user_id"): - # fallback_uid = request.POST.get("user_id") or request.GET.get("user_id") - # if fallback_uid: - # request.session["user_id"] = fallback_uid - # request.session.setdefault("permission", 1) - # else: - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) - # + if request.session.get("user_id") is None: + fallback_uid = request.POST.get("user_id") or request.GET.get("user_id") + if fallback_uid: + request.session["user_id"] = fallback_uid + request.session.setdefault("permission", 1) + else: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) + file = request.FILES.get("file") if not file: return JsonResponse({"status": "error", "message": "未选择文件"}, status=400) @@ -348,18 +365,18 @@ def upload(request): # 确认并入库 @require_http_methods(["POST"]) def confirm(request): - # if not request.session.get("user_id"): - # # 允许从payload中带入user_id作为后备(便于前端已知用户时继续操作) - # try: - # payload_for_uid = json.loads(request.body.decode("utf-8")) - # except Exception: - # payload_for_uid = {} - # fb_uid = (payload_for_uid or {}).get("user_id") - # if fb_uid: - # request.session["user_id"] = fb_uid - # request.session.setdefault("permission", 1) - # else: - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) + if request.session.get("user_id") is None: + # 允许从payload中带入user_id作为后备(便于前端已知用户时继续操作) + try: + payload_for_uid = json.loads(request.body.decode("utf-8")) + except Exception: + payload_for_uid = {} + fb_uid = (payload_for_uid or {}).get("user_id") + if fb_uid: + request.session["user_id"] = fb_uid + request.session.setdefault("permission", 1) + else: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) try: payload = json.loads(request.body.decode("utf-8")) @@ -392,6 +409,7 @@ def manage_page(request): if session_user_id is None: from django.shortcuts import redirect return redirect("/accounts/login/") + # is_admin = (request.session.get("permission", 1) == 0) raw_results = search_all() # if not is_admin: