Monday, June 24, 2019

Re: Anyone is able to delete or update other's post through url

Thanks, It works. Also, other people are able to access the draft posts detail view through URL. I thought of a solution that I will provide only the list of drafts and if the user clicks on it will take to the edit page of that post. But I am not able to implement this thing.

On Monday, June 24, 2019 at 8:39:26 PM UTC+5:30, Aldian Fazrihady wrote:
I would implement get_queryset method that filter blog post by author=self.request.user

Regards, 

Aldian Fazrihady

On Sun, 23 Jun 2019, 20:55 Gaurav Sahu, <gaurav...@gmail.com> wrote:
Hy, I am developing a  Django Blog application. In this application, I have a PostEdit view to edit the post, Delete post view to delete the post. These operations can only be performed by the user who has created that post. I used Delete view as a functional view and edit view as CBV. Now what is happening is that any user is able to delete or edit the others post through URL. In my delete post view since it is a functional based view, I have used if condition to prevent another user to prevent deleting someone else post. But since for post edit, I am using CBV, I am not able to find a way to prevent a user from editing someone else's post.
So how can I prevent doing another user to edit someone else post?


class PostUpdateView(LoginRequiredMixin ,UpdateView):
    model = Post
    template_name = 'blog/post_form.html'
    form_class = PostForm

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
        context['title'] = 'Update'
        return context

    def form_valid(self, form):
        form.instance.author = self.request.user
        form.save()
        return super().form_valid(form)


@login_required
def post_delete(request, slug):
    post = get_object_or_404(Post, slug=slug)
    if (request.user == post.author):
        post.delete()
        return redirect('blog:post_list')
    else:
        return redirect('blog:post_detail', slug=slug)





--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/efb6c007-9aaa-48aa-af6e-2f18f0dff523%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)