Restricting access to Django generic views

Question

I'm creating a Django app, where users can create accounts for them and then add transactions to each account. Its part of a site that will allow users to track investment gains. I'm making use of the generic class views to achieve this.

Users add transactions to a specific account (code not shown) and then they must be able to view the transactions for that specific account using site/transactions/2/, where 2 is the account ID.

The problem is any logged in user can just change the url to get the transactions of another user's account. I can easily fix this by checking that the given account id belongs to the user, but I think there must be a better way. Are there better ways how I can achieve this? Should I perhaps not URL encode this? I'm not that fond of the idea of users seeing their account ids in the DB anyways.

Also, at a later stage I want to make it possible for the users to view some of their accounts' transaction in a single list. For instance, show all transactions for 3 of their 5 accounts. Then this URL method also won't really work. What other options do I have here?

In models.py I have:

class Account(models.Model):
    name = models.CharField(max_length=40, unique=True, db_index=True)
    user = models.ForeignKey(User)

class Transaction(models.Model):
    value = models.DecimalField(max_digits=15, decimal_places=2)
    date = models.DateField('transaction date')
    account = models.ForeignKey(Account)

In urls.py:

url(r'^(?P<account_id>\d+)/$', views.IndexView.as_view(), name='index'),  

In views.py:

class IndexView(LoginRequiredMixin, generic.ListView):
    model = Transaction

    def get_queryset(self):
        account_id = self.kwargs['account_id']
        queryset = Transaction.objects.filter(account_id=account_id)
        return queryset

And then I have a transaction_list template

Thanks

Answer 1

You could use the helper function get_object_or_404() to first get the account object if you want to have a 404 error.

Like this:

def get_queryset(self):
    account_id = self.kwargs['account_id']

    # raise 404 if no account is found for the current user
    account = get_object_or_404(Account, pk=account_id, user=self.request.user)

    queryset = Transaction.objects.filter(account=account)
    return queryset

For your second thing you mentioned, you could either make a new view, or just check if 'account_id' was in the url, and reuse your current view. You will need a new url either way.

urls.py:

url(r'^(?P<account_id>\d+)/$', views.IndexView.as_view(), name='index'),
url(r'^$', views.IndexView.as_view(), name='index'), 

modify your get_queryset() again for the case where no account id is in the url:

def get_queryset(self):
    # account_id will be None if the second url was the one that matched.
    account_id = self.kwargs.get('account_id', None) 

    if account_id:
        # raise 404 if no account is found for the current user
        account = get_object_or_404(Account, pk=account_id, user=self.request.user)

        queryset = Transaction.objects.filter(account=account)
    else:
        # we're going to show all transactions for the user, rather than a specific account
        queryset = Transaction.objects.filter(account__user=self.request.user)

    return queryset