Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

In django, how can I ensure that a specific user is accessing a view?

Tags:

python

authentication

django

I would like to be able to check if the user accessing a page is a specific user.

For instance, when a user accesses the "Edit Post" page on my blog app, I want to ensure that the user is the author of the post.

Currently, I check that the user accessing '/Blog/Edit//' has the blog.change_post permission.

However, if a second user (who also has that permission) were to enter the URL to change someone else's post, they would pass that permission check and be able to edit someone else's post.

What I want is a @user_passes_test function that check's the user object accessing the view against the author attribute of the post.

#/Blog/urls.py

urlpatterns = [
    ...
    path('Edit/<int:pk>', views.BlogEdit, name='BlogEdit'),
    ...
]



#/Blog/views.py

@permission_required('blog.change_post', login_url='/Portal/login')
def BlogEdit(request, pk):
post = get_object_or_404(Post, pk=pk)
    if request.method == "POST":
        form = PostForm(request.POST, instance=post)
        if form.is_valid():
            post = form.save(commit=False)
            post.save()
            return redirect('/Blog', pk=post.pk)
    else:
        form = PostForm(instance=post)
    return render(request, 'Blog/Edit.html', {'form': form})
like image 871
xle Avatar asked Oct 14 '25 04:10

xle

1 Answers

You can add an extra filter to your get_object_or_404:

@permission_required('blog.change_post', login_url='/Portal/login')
def BlogEdit(request, pk):
    post = get_object_or_404(Post, pk=pk, author=request.user)
    if request.method == "POST":
        form = PostForm(request.POST, instance=post)
        if form.is_valid():
            form.save()
            return redirect('/Blog', pk=post.pk)
    else:
        form = PostForm(instance=post)
    return render(request, 'Blog/Edit.html', {'form': form})

Here author is the hypothetical ForeignKey from Post to the user model. It is possible that the name is different, but the idea is still the same.

This thus means that in case the pk is the pk of a Blog for which request.user is not the author, then we will have a 404 response.

The advantage of filtering here, is that we use a single query for the filtering. We will not (lazily) load the author to check if it is the same as the logged in user.

Note: post = form.save(commit=False) and post.save() are equivalent to post = form.save() (so with commit=True).

like image 142
Willem Van Onsem Avatar answered Oct 18 '25 15:10

Willem Van Onsem
Sign in to Comment

Related questions

How to avoid reading half-written arrays spanning multiple chunks using zarr?
How can I code Vuong's statistical test in Python?
Parse strings into overlapping pairs with Python [duplicate]
What is the difference between python.exe, python3.exe, and python3.6.exe?
python ast module fails in pydev, succeeds in cmdline python
Confused about a function in Learn Python the Hard Way ex41?
Calculate Akaike Information Criteria (AIC) by hand in Python
What is the default print method of a class when called in a console?
How to find the number of the day in a year based on the actual dates using Pandas?
setItemDelegateForColunm() crasches application without stacktrace
Python: flush logging only at end of script run
How to store variables in arraylist in python
I want to create Python LOGO using Turtle Module
Change Figure Size in Matplotlib
Why does the Stripe-Signature header never match the signature of request.body?
Python 3.10 Type Hinting causes Syntax Error
Airflow Branch Operator and Task Group Invalid Task IDs
Space in f-string leads to ValueError: Invalid format specifier
Plotly clustered heatmap (with dendrogram)/Python
Is there a .any() equivalent in PySpark?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!