CODEWITHSUNDEEP
djangodjango-views
Mauricio Kalfelz
Mauricio Kalfelz

Reputation: 79

Updateview does not restrict only to the id of the logged in user

I am using UpdateView, but I need only that when the user that is logged in can change, just the photo of it. As it is now if I type in the browser http://127.0.0.1:8000/change-photo/26/ it changes the photo of the user 26, even though I am logged in with the user 12 I want only the logged in user to be able to change their photo and not the photos of other users

View.py

class PhotoUpdate(UpdateView):
    model= Usuario  
    fields = ['foto']
    template_name='change-photo.html'

    def get_success_url(self):
            return reverse('sistema_index')

url.py

 url(r'^change-photo/(?P<pk>\d+)/$', views.PhotoUpdate.as_view(), 
     name='sistema_change_photo'),

change-photo.html

    {% if user.is_authenticated %}
    {{ user.usuario.pk }}
<form method="post" action="{% url 'sistema_change_photo' user.usuario.pk%}" class="form-signin" enctype="multipart/form-data">
{% csrf_token %}
<div class="form-row "> 
<div class="form-group col-md-12 ">

    {{ form.foto }}
</div>
</div>
<div class="form-row"> 
    <div class="form-group col-md-12">

</div>

<input type="submit" class="btn btn-primary" >

</form>

Upvotes: 1

Views: 624

Answers (2)

Devang Padhiyar
Devang Padhiyar

Reputation: 3697

You can edit your views.py as below.

from django.http import Http404
from django.views.generic import UpdateView
from django.contrib.auth.mixins import LoginRequiredMixin    # Mixin that redirect user to login if not authenticated

class PhotoUpdate(LoginRequiredMixin, UpdateView):
    model= Usuario  
    fields = ['foto']
    template_name='change-photo.html'

    def get_object(self, queryset=None):
        if queryset is None:
            queryset = self.get_queryset()   # This should help to get current user 

        # Next, try looking up by primary key of Usario model.
        queryset = queryset.filter(pk=self.request.user)


        try:
            # Get the single item from the filtered queryset
            obj = queryset.get()
        except queryset.model.DoesNotExist:
            raise Http404("No user matching this query")
        return obj


    def get_success_url(self):
        return reverse('sistema_index')

Inside your urls.py file

url(r'^change-photo/$', views.PhotoUpdate.as_view(), 
     name='sistema_change_photo'),

Upvotes: 3

krs
krs

Reputation: 4154

It depends on what error code you want when trying to access another users photo.

If a 404 is acceptable then the easiest way is to restrict the QuerySet the user is allowed to operate on. Something like this but edit to what you named your user-foreignkey field

class PhotoUpdate(UpdateView):

     ...

     def get_queryset(self):
         return Usuario.objects.filter(user=self.request.user)

If you rather return a permission denied you want to add a permission class to the view.

Upvotes: 3

Related Questions