How I validate if user belongs and if not he is not allowed in Django

Question

I have a view that I want to pass all the requests that belongs to a hospital. And, the user which belongs to a hospital, can't see others hospital requests. How can I return a HttpResponseNotAllowed ?

It is a M:1 model, Hospital has many users, and a User has only 1 hospital. The requests belongs to the hospital and the user.

I have this code in my view, but it doesnt work. Only shows me the requests that belongs to the hospital. But still I can change the Url to another Hospital ID and see others.

View

def Get_UserRequest(request, Hospital_id):
# if not request.user.is_authenticated:
#     return redirect('login')

if request.user.is_authenticated and request.method == "GET":
    user_sector = int(request.user.FKLab_User.id)

    if user_sector != Hospital_id:
        HttpResponseNotAllowed()
    
    requests = RequestHepatoPredict.objects.filter(Hospital_id=Hospital_id)
    
return render(request, 'user_profile/requests.html', {'requests': requests})

Answer 1

This worked for me.

@permission_classes((IsAuthenticated,))
def Get_UserRequest(request, Hospital_id):
    # if not request.user.is_authenticated:
    #     return redirect('login')
    perm = 1
    user = request.user
    if request.user.is_authenticated and request.method == "GET":
        user_sector = user.FKLab_User.id

        requests = []
        if Hospital_id != user_sector: 
            perm = 0

        if perm == 0:
            error = "You are not allowed."
            return render(request, "error/error.html", {'error':error})
            
    requests = RequestHepatoPredict.objects.filter(Hospital_id=Hospital_id)
    return render(request, 'user_profile/requests.html', {'requests': requests})