From 98056b251572a462b19838f8a81846b61552fe8b Mon Sep 17 00:00:00 2001 From: Viajero-tect <2737079298@qq.com> Date: Fri, 14 Nov 2025 23:10:50 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E2=80=9C=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E7=BC=96=E8=BE=91=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- db.sqlite3 | Bin 131072 -> 131072 bytes elastic/es_connect.py | 22 +++++++++++++- elastic/indexes.py | 4 +-- elastic/views.py | 68 ++++++++++++++++++++++++++---------------- 4 files changed, 66 insertions(+), 28 deletions(-) diff --git a/db.sqlite3 b/db.sqlite3 index e9b53cf29cfa6b1ffd1a4845eb3dd46e26058567..bc4f13bb739d39318150c925877d177a9add6522 100644 GIT binary patch delta 561 zcmZo@;Am*zm>|vQF;T{u)q_E=_s7PR1^rx1d{Y?sefXyEF4(N7Fo{>AF_?wbx5?Bo zJE_Pl(aa<_$0V_^DmS&Tur$M{s=UA=IW;w@xFkJea?LzB`Qn0d?{Z`BU}HCs6$V-vmU$IrR9X3ixSCW%BpMc%n-|1~C5CyH z<~q8WM4GtgyJr}sm3g`cd1hoq5I~o}nnd%xE>Ka)n7#doEkg1-zg@L)D0RscW zHINev3@WSgOp6T+vx`lQi<6UzOHC__3>r;=9%!tDc|a1k4@&0Sge2vK6(@NZz}#o* zlkW<`T|em@mvUq(Wq%EEt#K^42dl8nm|(^D#n@`{*2CQXi+ zr_g+R{r21I88scanD`Gd@IT}~#J_m6V8T>>J2_@YMr;m*1Rx78X^8t-ra%18C=UQw CLayQf delta 354 zcmZo@;Am*zm>|vQGEv5v)rCQ?OK4-tf_@H0ejf&YAHI;qiVA!IjpfX&zD>1`IjNZi zN#=S<%VU(DH)c%e?y7&4LMS{3CF NXOv_GTLfat0{}r`b-w@r diff --git a/elastic/es_connect.py b/elastic/es_connect.py index 47afdf5..47e4437 100644 --- a/elastic/es_connect.py +++ b/elastic/es_connect.py @@ -230,7 +230,7 @@ def update_by_id(doc_id, updated_data): try: # 获取文档 achievement = AchievementDocument.get(id=doc_id) - + print(doc_id) # 更新字段 if 'writer_id' in updated_data: achievement.writer_id = updated_data['writer_id'] @@ -327,6 +327,26 @@ def write_user_data(user_data): print(f"用户数据写入失败: {str(e)}") return False +def get_user_by_id(user_id): + try: + search = UserDocument.search() + search = search.query("term", user_id=user_id) + response = search.execute() + + if response.hits: + hit = response.hits[0] + return { + "user_id": hit.user_id, + "username": hit.username, + "password": hit.password, + "permission": hit.permission + } + return None + + except Exception as e: + print(f"获取用户数据失败: {str(e)}") + return None + def get_user_by_username(username): """ 根据用户名获取用户数据 diff --git a/elastic/indexes.py b/elastic/indexes.py index 8deb548..13b4ba0 100644 --- a/elastic/indexes.py +++ b/elastic/indexes.py @@ -1,5 +1,5 @@ -INDEX_NAME = "wordsearch266666789" -USER_NAME = "users_123" +INDEX_NAME = "wordsearch266666" +USER_NAME = "users" ACHIEVEMENT_INDEX_NAME = INDEX_NAME USER_INDEX_NAME = USER_NAME GLOBAL_INDEX_NAME = "global11111" diff --git a/elastic/views.py b/elastic/views.py index 45d94f7..d9d1037 100644 --- a/elastic/views.py +++ b/elastic/views.py @@ -84,21 +84,32 @@ def get_all_data(request): @csrf_exempt def delete_data(request, doc_id): """删除数据(需登录;管理员或作者本人)""" - if not request.session.get("user_id"): + request_user=request.session.get("user_id") + # request_admin=request.session.get("permisssion") + if request_user is None: return JsonResponse({"status": "error", "message": "未登录"}, status=401) + + try: existing = get_by_id(doc_id) + user_existing=get_user_by_id(request_user) + if not existing: return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) - is_admin = (request.session.get("permission", 1) == 0) + + is_admin = (user_existing.get('permission') ) == 0 is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): return JsonResponse({"status": "error", "message": "无权限"}, status=403) success = delete_by_id(doc_id) + if success: return JsonResponse({"status": "success", "message": "数据删除成功"}) else: return JsonResponse({"status": "error", "message": "数据删除失败"}, status=500) + + except Exception as e: return JsonResponse({"status": "error", "message": str(e)}, status=500) @@ -107,18 +118,24 @@ def delete_data(request, doc_id): @csrf_exempt def update_data(request, doc_id): """更新数据(需登录;管理员或作者本人)""" - # if not request.session.get("user_id"): - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) + request_user = request.session.get("user_id") + if request_user is None: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) + try: payload = json.loads(request.body.decode('utf-8')) except Exception: return JsonResponse({"status": "error", "message": "JSON无效"}, status=400) try: existing = get_by_id(doc_id) + user_existing = get_user_by_id(request_user) + if not existing: return JsonResponse({"status": "error", "message": "数据不存在"}, status=404) - is_admin = (request.session.get("permission", 1) == 0) + + is_admin = (user_existing.get('permission')) == 0 is_owner = str(existing.get("writer_id", "")) == str(request.session.get("user_id")) + if not (is_admin or is_owner): return JsonResponse({"status": "error", "message": "无权限"}, status=403) @@ -306,14 +323,14 @@ def upload_page(request): # 上传并识别(不入库) @require_http_methods(["POST"]) def upload(request): - # if not request.session.get("user_id"): - # fallback_uid = request.POST.get("user_id") or request.GET.get("user_id") - # if fallback_uid: - # request.session["user_id"] = fallback_uid - # request.session.setdefault("permission", 1) - # else: - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) - # + if request.session.get("user_id") is None: + fallback_uid = request.POST.get("user_id") or request.GET.get("user_id") + if fallback_uid: + request.session["user_id"] = fallback_uid + request.session.setdefault("permission", 1) + else: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) + file = request.FILES.get("file") if not file: return JsonResponse({"status": "error", "message": "未选择文件"}, status=400) @@ -348,18 +365,18 @@ def upload(request): # 确认并入库 @require_http_methods(["POST"]) def confirm(request): - # if not request.session.get("user_id"): - # # 允许从payload中带入user_id作为后备(便于前端已知用户时继续操作) - # try: - # payload_for_uid = json.loads(request.body.decode("utf-8")) - # except Exception: - # payload_for_uid = {} - # fb_uid = (payload_for_uid or {}).get("user_id") - # if fb_uid: - # request.session["user_id"] = fb_uid - # request.session.setdefault("permission", 1) - # else: - # return JsonResponse({"status": "error", "message": "未登录"}, status=401) + if request.session.get("user_id") is None: + # 允许从payload中带入user_id作为后备(便于前端已知用户时继续操作) + try: + payload_for_uid = json.loads(request.body.decode("utf-8")) + except Exception: + payload_for_uid = {} + fb_uid = (payload_for_uid or {}).get("user_id") + if fb_uid: + request.session["user_id"] = fb_uid + request.session.setdefault("permission", 1) + else: + return JsonResponse({"status": "error", "message": "未登录"}, status=401) try: payload = json.loads(request.body.decode("utf-8")) @@ -392,6 +409,7 @@ def manage_page(request): if session_user_id is None: from django.shortcuts import redirect return redirect("/accounts/login/") + # is_admin = (request.session.get("permission", 1) == 0) raw_results = search_all() # if not is_admin: