Re: Is there a version of @login_required that requires the user to log in as a specific user?
On May 25, 3:41 am, Andywrote: > > But how do I stop user A from trying to edit the profile of user B? You don't let them. You control which profile you get from and save to the database, right? You look at the request.user object and only manipulate the data associated with the user specified by request.user. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Is there a version of @login_required that requires the user to log in as a specific user?
Hi, On 25.05.2009, at 10:59, Mike Ramirez wrote: > On Monday 25 May 2009 01:41:31 am Andy wrote: > >> But how do I stop user A from trying to edit the profile of user B? > > in urls.py > > url(r'profile/(P)/', 'up.views.profile', name='profile') you don't need the user name in the url for edit your personal profile and I think in most cases the edit and view pages are 2 different pages. > in views.py > def edit(request, username): > profile = UserProfile.objects.get(username__exact=username) > form = None > if profile.username == request.user.username: > form = UserProfileForm() > > render_to_response('profile/profile.html', {'form': > form, 'profile':profile}, context_instance=RequestContext(request)) Change the view to something like this: @login_required def edit(request): profile = UserProfile.objects.get(request.user.id) form = UserProfileForm(instance=profile) return render_to_response('profile/profile.html', {'form': form, 'profile':profile}, context_instance=RequestContext(request) ) and the user can only edit his own profile. You have to use the login_required decorator to make sure this works. You need to adapt the Form and template name to your needs. > > int profile/profile.html: > > {% if form %} > Editable User form html. > {{ form.as_p }} > {% else %} > Uneditable user profile info. > {{ comment loop through profile object showing the user details you > want to > show off }} > {% endif %} > > The key is in views.py and the check, you should expect request.user > to be the > object representing the current user requesting the page, if the > requested > username and the request.user.username match, return a valid form > (you can > instatiate the form with the profile data) otherwise return the form > variable > set to None and the check in the template will work as expected. > > The exact specifics are upto you, but this is how I do it. > > Mike > -- > "Our vision is to speed up time, eventually eliminating it." > -- Alex Schure --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Is there a version of @login_required that requires the user to log in as a specific user?
On Monday 25 May 2009 01:41:31 am Andy wrote: > But how do I stop user A from trying to edit the profile of user B? in urls.py url(r'profile/(P)/', 'up.views.profile', name='profile') in views.py def edit(request, username): profile = UserProfile.objects.get(username__exact=username) form = None if profile.username == request.user.username: form = UserProfileForm() render_to_response('profile/profile.html', {'form': form, 'profile':profile}, context_instance=RequestContext(request)) int profile/profile.html: {% if form %} Editable User form html. {{ form.as_p }} {% else %} Uneditable user profile info. {{ comment loop through profile object showing the user details you want to show off }} {% endif %} The key is in views.py and the check, you should expect request.user to be the object representing the current user requesting the page, if the requested username and the request.user.username match, return a valid form (you can instatiate the form with the profile data) otherwise return the form variable set to None and the check in the template will work as expected. The exact specifics are upto you, but this is how I do it. Mike -- "Our vision is to speed up time, eventually eliminating it." -- Alex Schure signature.asc Description: This is a digitally signed message part.
Re: Is there a version of @login_required that requires the user to log in as a specific user?
On May 24, 9:54 pm, Brian Nealwrote: > On May 24, 6:50 pm, Continuation wrote: > > > For example, I have a view edit_profile that edits a user's profile. > > Obviously I want to make sure that each user can edit his own profile > > only. > > > So before the profile of user A is being edited by edit_profile, I > > want to make sure the current user is logged in as user A. > > > Is there a decorator that can do that? > > > Is there a decorator similar to @login_required that requires not only > > the user to be logged in, but also that he needs to be logged in as a > > specific user (user A in the above example)? > > Well, typically you don't worry about that. If a user is requesting to > edit a profile, you simple pull up that user's profile. But how do I stop user A from trying to edit the profile of user B? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Re: Is there a version of @login_required that requires the user to log in as a specific user?
On May 24, 6:50 pm, Continuationwrote: > For example, I have a view edit_profile that edits a user's profile. > Obviously I want to make sure that each user can edit his own profile > only. > > So before the profile of user A is being edited by edit_profile, I > want to make sure the current user is logged in as user A. > > Is there a decorator that can do that? > > Is there a decorator similar to @login_required that requires not only > the user to be logged in, but also that he needs to be logged in as a > specific user (user A in the above example)? Well, typically you don't worry about that. If a user is requesting to edit a profile, you simple pull up that user's profile. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---
Is there a version of @login_required that requires the user to log in as a specific user?
For example, I have a view edit_profile that edits a user's profile. Obviously I want to make sure that each user can edit his own profile only. So before the profile of user A is being edited by edit_profile, I want to make sure the current user is logged in as user A. Is there a decorator that can do that? Is there a decorator similar to @login_required that requires not only the user to be logged in, but also that he needs to be logged in as a specific user (user A in the above example)? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~--~~~~--~~--~--~---