CODEWITHSUNDEEP
djangodjango-viewsdjango-permissions
Léo Mouyna
Léo Mouyna

Reputation: 25

Django - How to use specific custom permissions in views and templates?

For my "tutorial app", I created some specific permissions after creating an object. Only the object's author have to be able to update or delete it.

I'm a beginner and I'm here to learn, if my methods are ugly be tolerant.

Here my views.py

class CreateArticle(LoginRequiredMixin, generic.CreateView):

model = Article
context_object_name = 'article'
template_name = "blog/edit_article.html"
form_class = ArticleForm

def form_valid(self, form):
    self.object = form.save(commit=False)
    self.object.slug = auto_slug(self.object.titre)
    user = User.objects.get(id=self.request.user.id)
    self.object.auteur = user

    self.object.save()

    """On génère les 2 permissions suivantes :
        Modifier l'article dont on est l'auteur
        Supprimer l'article dont on est l'auteur"""

    content_type = ContentType.objects.get(app_label='blog', model='article')
    permission = Permission.objects.create(
        codename='edit_article_{0}'.format(self.object.id),
        name='Modifier l\'article {0}'.format(self.object.titre),
        content_type=content_type
    )
    user.user_permissions.add(permission)
    permission = Permission.objects.create(
        codename='delete_article_{0}'.format(self.object.id),
        name='Supprimer l\'article {0}'.format(self.object.titre),
        content_type=content_type
    )
    user.user_permissions.add(permission)

    messages.success(self.request, "L'article a été crée")
    return HttpResponseRedirect(self.get_success_url())

So I wanted to use those permissions in my UpdateArticle and DeleteArticle generic views. The problem is that they are specific and I don't know how to use it.

Upvotes: 1

Views: 5824

Answers (1)

denvaar
denvaar

Reputation: 2214

You can create a custom permissions mixin to ensure that only the author is allowed to make changes to an existing article. Here's a quick example:

class SameUserOnlyMixin(object):

    def has_permissions(self):
        # Assumes that your Article model has a foreign key called `auteur`.
        return self.get_object().auteur == self.request.user

    def dispatch(self, request, *args, **kwargs):
        if not self.has_permissions():
            raise Http404('You do not have permission.')
        return super(SameUserOnlyMixin, self).dispatch(
            request, *args, **kwargs)

With this mixin, simply stick it before any generic classes in the views you'd like to use it in.

class CreateArticle(SameUserOnlyMixin, generic.CreateView):
    ...

Check out my other answer for more info.

Upvotes: 5

Related Questions