On May 25, 2009, at 4:41 PM, Andy wrote:
>
>
>
> On May 24, 9:54 pm, Brian Neal <bgn...@gmail.com> wrote:
>> On May 24, 6:50 pm, Continuation <selforgani...@gmail.com> wrote:
>>
>>> For example, I have a view edit_profile that edits a user's profile.
>>> Obviously I want to make sure that each user can edit his own
>>> profile
>>> only.
>>
>>> So before the profile of user A is being edited by edit_profile, I
>>> want to make sure the current user is logged in as user A.
>>
>>> Is there a decorator that can do that?
>>
>>> Is there a decorator similar to @login_required that requires not
>>> only
>>> the user to be logged in, but also that he needs to be logged in
>>> as a
>>> specific user (user A in the above example)?
>>
>> Well, typically you don't worry about that. If a user is requesting
>> to
>> edit a profile, you simple pull up that user's profile.
>
>
> But how do I stop user A from trying to edit the profile of user B?
That's not quite how logging in works. Whether you're using the
contrib auth app or you've built your own, each visitor has to log in
AS someone – ie, as a particular User from the table of all users
created by the auth app. If you use the authenticate and login methods
from the contrib auth application, authenticate returns a single
authenticated User, and then login ties that user to the request. From
that point on, request.user refers to a single User from the auth app.
If you use the login_required decorator, that all happens semi-
automatically, and your methods can use request.user directly.
The same code will now work for anyone who logs in, but each logged-in
user will only see the information associated with his/her User from
the user table. Putting "Hi there, {{ request.user.get_full_name }}"
in a template will show a different name to every logged in user. When
a user edits request.user.profile.bio (for instance), it can only be
the profile for his or her user, never someone else's. Users are
logged in using cookies, so it's most accurate to say that a
particular browser/user agent instance logs into your site, and stays
logged in, as a particular user, until explicitly logged out or else a
certain time limit passes.
Hope that was helpful, and not a bunch of stuff you already knew...
E
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
