1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
====================
Single object mixins
====================
``SingleObjectMixin``
=====================
.. class:: django.views.generic.detail.SingleObjectMixin
Provides a mechanism for looking up an object associated with the
current HTTP request.
**Methods and Attributes**
.. attribute:: model
The model that this view will display data for. Specifying ``model
= Foo`` is effectively the same as specifying ``queryset =
Foo.objects.all()``, where ``objects`` stands for ``Foo``’s
:ref:`default manager <default-managers>`.
.. attribute:: queryset
A ``QuerySet`` that represents the objects. If provided, the value of
``queryset`` supersedes the value provided for :attr:`model`.
.. warning::
``queryset`` is a class attribute with a *mutable* value so care
must be taken when using it directly. Before using it, either call
its :meth:`~django.db.models.query.QuerySet.all` method or
retrieve it with :meth:`get_queryset` which takes care of the
cloning behind the scenes.
.. attribute:: slug_field
The name of the field on the model that contains the slug. By default,
``slug_field`` is ``'slug'``.
.. attribute:: slug_url_kwarg
The name of the URLConf keyword argument that contains the slug. By
default, ``slug_url_kwarg`` is ``'slug'``.
.. attribute:: pk_url_kwarg
The name of the URLConf keyword argument that contains the primary key.
By default, ``pk_url_kwarg`` is ``'pk'``.
.. attribute:: context_object_name
Designates the name of the variable to use in the context.
.. attribute:: query_pk_and_slug
If ``True``, causes :meth:`get_object()` to perform its lookup using
both the primary key and the slug. Defaults to ``False``.
This attribute can help mitigate `insecure direct object reference`_
attacks. When applications allow access to individual objects by a
sequential primary key, an attacker could brute-force guess all URLs;
thereby obtaining a list of all objects in the application. If users
with access to individual objects should be prevented from obtaining
this list, setting ``query_pk_and_slug`` to ``True`` will help prevent
the guessing of URLs as each URL will require two correct,
non-sequential arguments. Using a unique slug may serve the same
purpose, but this scheme allows you to have non-unique slugs.
.. _insecure direct object reference: https://wiki.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
.. method:: get_object(queryset=None)
Returns the single object that this view will display. If ``queryset``
is provided, that queryset will be used as the source of objects;
otherwise, :meth:`get_queryset` will be used. ``get_object()`` looks
for a :attr:`pk_url_kwarg` argument in the arguments to the view; if
this argument is found, this method performs a primary-key based lookup
using that value. If this argument is not found, it looks for a
:attr:`slug_url_kwarg` argument, and performs a slug lookup using the
:attr:`slug_field`.
When :attr:`query_pk_and_slug` is ``True``, ``get_object()`` will
perform its lookup using both the primary key and the slug.
.. method:: get_queryset()
Returns the queryset that will be used to retrieve the object that
this view will display. By default, :meth:`get_queryset` returns the
value of the :attr:`queryset` attribute if it is set, otherwise
it constructs a :class:`~django.db.models.query.QuerySet` by calling
the ``all()`` method on the :attr:`model` attribute's default manager.
.. method:: get_context_object_name(obj)
Return the context variable name that will be used to contain the
data that this view is manipulating. If :attr:`context_object_name` is
not set, the context name will be constructed from the ``model_name``
of the model that the queryset is composed from. For example, the model
``Article`` would have context object named ``'article'``.
.. method:: get_context_data(**kwargs)
Returns context data for displaying the object.
The base implementation of this method requires that the ``self.object``
attribute be set by the view (even if ``None``). Be sure to do this if
you are using this mixin without one of the built-in views that does so.
It returns a dictionary with these contents:
* ``object``: The object that this view is displaying
(``self.object``).
* ``context_object_name``: ``self.object`` will also be stored under
the name returned by :meth:`get_context_object_name`, which defaults
to the lowercased version of the model name.
.. admonition:: Context variables override values from template context processors
Any variables from :meth:`get_context_data` take precedence over
context variables from :ref:`context processors
<subclassing-context-requestcontext>`. For example, if your view
sets the :attr:`model` attribute to
:class:`~django.contrib.auth.models.User`, the default context
object name of ``user`` would override the ``user`` variable from
the :func:`django.contrib.auth.context_processors.auth` context
processor. Use :meth:`get_context_object_name` to avoid a clash.
.. method:: get_slug_field()
Returns the name of a slug field to be used to look up by slug. By
default this returns the value of :attr:`slug_field`.
``SingleObjectTemplateResponseMixin``
=====================================
.. class:: django.views.generic.detail.SingleObjectTemplateResponseMixin
A mixin class that performs template-based response rendering for views
that operate upon a single object instance. Requires that the view it is
mixed with provides ``self.object``, the object instance that the view is
operating on. ``self.object`` will usually be, but is not required to be,
an instance of a Django model. It may be ``None`` if the view is in the
process of constructing a new instance.
**Extends**
* :class:`~django.views.generic.base.TemplateResponseMixin`
**Methods and Attributes**
.. attribute:: template_name_field
The field on the current object instance that can be used to determine
the name of a candidate template. If either ``template_name_field``
itself or the value of the ``template_name_field`` on the current
object instance is ``None``, the object will not be used for a
candidate template name.
.. attribute:: template_name_suffix
The suffix to append to the auto-generated candidate template name.
Default suffix is ``_detail``.
.. method:: get_template_names()
Returns a list of candidate template names. Returns the following list:
* the value of ``template_name`` on the view (if provided)
* the contents of the ``template_name_field`` field on the
object instance that the view is operating upon (if available)
* ``<app_label>/<model_name><template_name_suffix>.html``
|
