Hi all,
I am new to Django, Python and web development in general. I've been
playing with Django for a couple of days and I like it. I am writing
an application that will allow multiple users to create, update and
delete objects. At this point I would like to limit users' access to
their own objects. My object model has this field to determin the
owner:
user = models.ForeignKey(User, editable = False)
Now when I tried using the generic create view, I got errors because
obviously the user field was not being filled in anywhere. Also, I
wanted to make update and delete only work if request.user is the same
as object.user.
I created a custom ModelForm for my objects:
class MyObjectForm(ModelForm):
class Meta:
model = MyObject
exclude = ('user', )
userid = None
def save(self, commit=True):
m = super(MyObjectForm, self).save(commit=False)
m.user = User.objects.get(pk = self.Meta.userid)
if commit:
m.save()
# the next call does not work... why? I must have
misunderstood the docs
#super(MyObjectForm, self).save_m2m()
return m
This overrides the save() method and tries to set the userid as the
one in the Meta class
Next I created wrappers for the generic views. The my_object_create
one construct a new ModelForm from the MyObjectForm and sets the
Meta.userid to the request.user.id. The update and delete take the
object id and check that object.user == request.user
def my_object_create(request, **kwargs):
class_name = 'MyObjectForm_' + request.user.username
class Meta:
model = MyObject
exclude = ('user', )
userid = request.user.id
kwargs['form_class'] = ModelFormMetaclass(str(class_name),
(MyObjectForm,), {'Meta': Meta})
return create_object(request, **kwargs)
def my_object_update(request, **kwargs):
try:
id = kwargs['object_id']
except KeyError:
raise Http404("No id specified")
if MyObject.objects.get(pk=id).user != request.user:
raise Http404("No object found")
return update_object(request, **kwargs)
def my_object_delete(request, **kwargs):
try:
id = kwargs['object_id']
except KeyError:
raise Http404("No id specified")
if MyObject.objects.get(pk=id).user != request.user:
raise Http404("No object found")
return delete_object(request, **kwargs)
Now I am not very happy with this because it is not generic (if I want
a new object with different non-editable fields I a new form and new
wrappers), and because in the update and delete case I do the object
lookup twice (once in the wrapper to check for permission, and once in
the generic view). If I were to work on a real thing I would probably
give up on the generic views.
I've read that a new object-based generic view system is coming and it
would solve this. Are there any other solutions? What do you think?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
