On Mon, Nov 28, 2011 at 2:21 AM, Mike Dewhirst <mi...@dewhirst.com.au> wrote: > 1. Do I have to create many-to-many relationships and before serving a page > make sure the user making the request is "permitted" to see it?
that's how i've done this in the past. it's not too much burden. in my case, i had several image 'banks', and a user could have access to one or more, so there was a many-to-many between the user and bank models. in addition, the user could be on a single bank at a time (but could easily hop from one to the other), so i chose to store the bank ID in the session. to make it easier, i wrote a decorator similar that added a 'bank' field to the request, something like this (from failing memory): request.bank = get_object_or_404 (Bank, user=request.user, pk=request.session['bank_id']) that way, if a user somehow modified his session to point to a bank he doesn't have access to, he would get a 404. then, in any view that included a picture id, instead of doing the usual: @login_required def showpicture (request, pict_id): picture = get_object_or_404 (Picture, pk=pict_id) ...... i did like: @login_required @bank_required def showpicture (request, pict_id): picture = get_object_or_404 (Picture, bank=request.bank, pk=pict_id) .... with the same "404 if not allowed" result -- Javier -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.