Hy, I am developing a Django Blog application. In this application, I have a PostEdit view to edit the post, Delete post view to delete the post. These operations can only be performed by the user who has created that post. I used Delete view as a functional view and edit view as CBV. Now what is happening is that any user is able to delete or edit the others post through URL. In my delete post view since it is a functional based view, I have used if condition to prevent another user to prevent deleting someone else post. But since for post edit, I am using CBV, I am not able to find a way to prevent a user from editing someone else's post. So how can I prevent doing another user to edit someone else post?
class PostUpdateView(LoginRequiredMixin ,UpdateView): model = Post template_name = 'blog/post_form.html' form_class = PostForm def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context['title'] = 'Update' return context def form_valid(self, form): form.instance.author = self.request.user form.save() return super().form_valid(form) @login_required def post_delete(request, slug): post = get_object_or_404(Post, slug=slug) if (request.user == post.author): post.delete() return redirect('blog:post_list') else: return redirect('blog:post_detail', slug=slug) -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/9b38d4e0-a30a-43ed-9af6-6c9ac545024f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.