Hi, On 25.05.2009, at 10:59, Mike Ramirez wrote:
> On Monday 25 May 2009 01:41:31 am Andy wrote: > >> But how do I stop user A from trying to edit the profile of user B? > > in urls.py > > url(r'profile/(P<username>)/', 'up.views.profile', name='profile') you don't need the user name in the url for edit your personal profile and I think in most cases the edit and view pages are 2 different pages. > in views.py > def edit(request, username): > profile = UserProfile.objects.get(username__exact=username) > form = None > if profile.username == request.user.username: > form = UserProfileForm() > > render_to_response('profile/profile.html', {'form': > form, 'profile':profile}, context_instance=RequestContext(request)) Change the view to something like this: @login_required def edit(request): profile = UserProfile.objects.get(request.user.id) form = UserProfileForm(instance=profile) return render_to_response('profile/profile.html', {'form': form, 'profile':profile}, context_instance=RequestContext(request) ) and the user can only edit his own profile. You have to use the login_required decorator to make sure this works. You need to adapt the Form and template name to your needs. > > int profile/profile.html: > > {% if form %} > Editable User form html. > {{ form.as_p }} > {% else %} > Uneditable user profile info. > {{ comment loop through profile object showing the user details you > want to > show off }} > {% endif %} > > The key is in views.py and the check, you should expect request.user > to be the > object representing the current user requesting the page, if the > requested > username and the request.user.username match, return a valid form > (you can > instatiate the form with the profile data) otherwise return the form > variable > set to None and the check in the template will work as expected. > > The exact specifics are upto you, but this is how I do it. > > Mike > -- > "Our vision is to speed up time, eventually eliminating it." > -- Alex Schure --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---