changing the access: from everyone to restricted user, allowing only the user that created post to be able to edit and delete

Question

right now any user can delete and edit any post. I want only user that created the post to be able to delete or edit. I used very simple code to update and delete but the problem is it gives access to everyone....Here;s my code.

class PostUpdateView(UpdateView):
     model = Post
     form_class = PostForm
     template_name = 'main/edit.html'

     def form_valid(self, form):
            self.object = form.save(commit=False)
            # Any manual settings go here
            self.object.save()
            return HttpResponseRedirect(self.object.get_absolute_url())

     @method_decorator(login_required)
     def dispatch(self, request, *args, **kwargs):
         return super(PostUpdateView, self).dispatch(request, *args, **kwargs)



class PostDeleteView(DeleteView):
     model = Post

     def get_success_url(self):
            return "/" 

     @method_decorator(login_required)
     def dispatch(self, request, *args, **kwargs):
            return super(PostDeleteView, self).dispatch(request, *args, **kwargs)

thanks in advance

Edit

class PostCreateView(CreateView):
     model = Post
     form_class = PostForm
     template_name = 'main/add_post.html'

     def form_valid(self, form):
            self.object = form.save(commit=False)
            # any manual settings go here
            self.object.moderator = self.request.user
            self.object.image = extract(self.object.url) 

            self.object.save()
            return HttpResponseRedirect(reverse('post', args=[self.object.slug]))


     @method_decorator(login_required)
     def dispatch(self, request, *args, **kwargs):

            return super(PostCreateView, self).dispatch(request, *args, **kwargs)

Answer 1

According to the docs , you can check if a user has the permission on altering an object like this:

user.has_perm('foo.change_bar')
user.has_perm('foo.delete_bar')

Assuming that you have a created_by field in your post, you could do it like this:

def dispatch(self, request, *args, **kwargs):
    post = Post.objects.get(pk=kwargs['pk'])
    if request.user.has_perm('yourapp.delete_post') and post.created_by == request.user: 
        return super(PostDeleteView, self).dispatch(request, *args, **kwargs)
    else:
        return http.HttpForbidden()

If you want to reuse the logic on multiple occasions, you should consider creating a decorator based on user_passes_test or this Mixin for newer Django Version

Answer 2

You can add the checking in dispatch method like

 @method_decorator(login_required)
 def dispatch(self, request, *args, **kwargs):
     obj =  self.get_object()
     if not obj.moderator == self.request.user:
        return HttpResponseForbidden()
     return super(PostUpdateView, self).dispatch(request, *args, **kwargs)

changing the access: from everyone to restricted user, allowing only the user that created post to be able to edit and delete

Question

2 answers

solution1
2 ACCPTED 2016-01-20 09:24:39

solution2
0 2016-01-20 09:32:30

changing the access: from everyone to restricted user, allowing only the user that created post to be able to edit and delete

Question

2 answers

solution1 2 ACCPTED 2016-01-20 09:24:39

solution2 0 2016-01-20 09:32:30

solution1
2 ACCPTED 2016-01-20 09:24:39

solution2
0 2016-01-20 09:32:30