Re: Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-25 Thread Brian Neal 

On May 25, 3:41 am, Andy  wrote:
>
> But how do I stop user A from trying to edit the profile of user B?

You don't let them. You control which profile you get from and save to
the database, right? You look at the request.user object and only
manipulate the data associated with the user specified by request.user.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-25 Thread Sieker Adi Jörg 

Hi,

On 25.05.2009, at 10:59, Mike Ramirez wrote:

> On Monday 25 May 2009 01:41:31 am Andy wrote:
>
>> But how do I stop user A from trying to edit the profile of user B?
>
> in urls.py
>
> url(r'profile/(P)/', 'up.views.profile', name='profile')

you don't need the user name in the url for edit your personal profile
and I think in most cases the edit and view pages are 2 different pages.

> in views.py
> def edit(request, username):
>   profile = UserProfile.objects.get(username__exact=username)

>   form = None
>   if profile.username == request.user.username:
>   form = UserProfileForm()
>   
>   render_to_response('profile/profile.html', {'form':
> form, 'profile':profile}, context_instance=RequestContext(request))

Change the view to something like this:
@login_required
def edit(request):
profile = UserProfile.objects.get(request.user.id)
form = UserProfileForm(instance=profile)
return render_to_response('profile/profile.html',
{'form': form,
 'profile':profile},
context_instance=RequestContext(request)
)

and the user can only edit his own profile.
You have to use the login_required decorator to make sure this works.
You need to adapt the Form and template name to your needs.


>
> int profile/profile.html:
>
> {% if form %}
>   Editable User form html.
>   {{ form.as_p }}
> {% else %}
>   Uneditable user profile info.
>   {{ comment loop through profile object showing the user details you  
> want to
> show off }}
> {% endif %}
>
> The key is in views.py and the check, you should expect request.user  
> to be the
> object representing the current user requesting the page, if the  
> requested
> username and the request.user.username match, return a valid form  
> (you can
> instatiate the form with the profile data) otherwise return the form  
> variable
> set to None and the check in the template will work as expected.
>
> The exact specifics are upto you, but this is how I do it.
>
> Mike
> -- 
> "Our vision is to speed up time, eventually eliminating it."
>   -- Alex Schure

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-25 Thread Mike Ramirez 
On Monday 25 May 2009 01:41:31 am Andy wrote:

> But how do I stop user A from trying to edit the profile of user B?

in urls.py

url(r'profile/(P)/', 'up.views.profile', name='profile')

in views.py

def edit(request, username):
   profile = UserProfile.objects.get(username__exact=username)
   form = None
   if profile.username == request.user.username:
form = UserProfileForm()

   render_to_response('profile/profile.html', {'form': 
form, 'profile':profile}, context_instance=RequestContext(request))

int profile/profile.html:

{% if form %}
Editable User form html.
{{ form.as_p }}
{% else %}
Uneditable user profile info.
{{ comment loop through profile object showing the user details you 
want to 
show off }}
{% endif %}

The key is in views.py and the check, you should expect request.user to be the 
object representing the current user requesting the page, if the requested 
username and the request.user.username match, return a valid form (you can 
instatiate the form with the profile data) otherwise return the form variable 
set to None and the check in the template will work as expected.

The exact specifics are upto you, but this is how I do it.

Mike
-- 
"Our vision is to speed up time, eventually eliminating it."
-- Alex Schure


signature.asc
Description: This is a digitally signed message part.

Re: Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-25 Thread Andy 



On May 24, 9:54 pm, Brian Neal  wrote:
> On May 24, 6:50 pm, Continuation  wrote:
>
> > For example, I have a view edit_profile that edits a user's profile.
> > Obviously I want to make sure that each user can edit his own profile
> > only.
>
> > So before the profile of user A is being edited by edit_profile, I
> > want to make sure the current user is logged in as user A.
>
> > Is there a decorator that can do that?
>
> > Is there a decorator similar to @login_required that requires not only
> > the user to be logged in, but also that he needs to be logged in as a
> > specific user (user A in the above example)?
>
> Well, typically you don't worry about that. If a user is requesting to
> edit a profile, you simple pull up that user's profile.


But how do I stop user A from trying to edit the profile of user B?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Re: Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-24 Thread Brian Neal 

On May 24, 6:50 pm, Continuation  wrote:
> For example, I have a view edit_profile that edits a user's profile.
> Obviously I want to make sure that each user can edit his own profile
> only.
>
> So before the profile of user A is being edited by edit_profile, I
> want to make sure the current user is logged in as user A.
>
> Is there a decorator that can do that?
>
> Is there a decorator similar to @login_required that requires not only
> the user to be logged in, but also that he needs to be logged in as a
> specific user (user A in the above example)?

Well, typically you don't worry about that. If a user is requesting to
edit a profile, you simple pull up that user's profile.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---

Is there a version of @login_required that requires the user to log in as a specific user?

2009-05-24 Thread Continuation 

For example, I have a view edit_profile that edits a user's profile.
Obviously I want to make sure that each user can edit his own profile
only.

So before the profile of user A is being edited by edit_profile, I
want to make sure the current user is logged in as user A.

Is there a decorator that can do that?

Is there a decorator similar to @login_required that requires not only
the user to be logged in, but also that he needs to be logged in as a
specific user (user A in the above example)?
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~--~~~~--~~--~--~---