Re: Is there a version of @login_required that requires the user to log in as a specific user?

[Sieker Adi Jörg]

Hi,

On 25.05.2009, at 10:59, Mike Ramirez wrote:

> On Monday 25 May 2009 01:41:31 am Andy wrote:
>
>> But how do I stop user A from trying to edit the profile of user B?
>
> in urls.py
>
> url(r'profile/(P<username>)/', 'up.views.profile', name='profile')

you don't need the user name in the url for edit your personal profile
and I think in most cases the edit and view pages are 2 different pages.

> in views.py
> def edit(request, username):
>   profile = UserProfile.objects.get(username__exact=username)

>   form = None
>   if profile.username == request.user.username:
>       form = UserProfileForm()
>       
>   render_to_response('profile/profile.html', {'form':
> form, 'profile':profile}, context_instance=RequestContext(request))

Change the view to something like this:
@login_required
def edit(request):
        profile = UserProfile.objects.get(request.user.id)
        form = UserProfileForm(instance=profile)
        return render_to_response('profile/profile.html',
                        {'form': form,
                         'profile':profile},
                        context_instance=RequestContext(request)
                        )

and the user can only edit his own profile.
You have to use the login_required decorator to make sure this works.
You need to adapt the Form and template name to your needs.


>
> int profile/profile.html:
>
> {% if form %}
>       Editable User form html.
>       {{ form.as_p }}
> {% else %}
>       Uneditable user profile info.
>       {{ comment loop through profile object showing the user details you  
> want to
> show off }}
> {% endif %}
>
> The key is in views.py and the check, you should expect request.user  
> to be the
> object representing the current user requesting the page, if the  
> requested
> username and the request.user.username match, return a valid form  
> (you can
> instatiate the form with the profile data) otherwise return the form  
> variable
> set to None and the check in the template will work as expected.
>
> The exact specifics are upto you, but this is how I do it.
>
> Mike
> -- 
> "Our vision is to speed up time, eventually eliminating it."
>               -- Alex Schure

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---