Wednesday, November 23, 2011

Re: Django : CSRF and variable handling in a view

> If I don't check anywhere in the view if a user is authenticated, he
> can still use the form to post data and my goal is that if a user is
> authenticated he can't ( in the template if a user is authenticated it
> doesn't display the form ).
> I'm aware that it kind of defy the DRY principle because I have to
> check both in the view and in the template if a user is authenticated
> but I haven't found another way :(


This seems all sorts of wrong to me. Why couldn't the user just log
out and then post? Seems like an odd workflow, but I don't know your
business-case here.

You could always control what is shown to the user in the template (to
limit their ability to use your form to post to the view) with

{% if not user.is_authenticated %}
SHOW FORM
{% else %}
you're logged in so you can't post
{% endif %}

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

No comments:

Post a Comment