Django: Display DB data to only logged in users with multiple filters -
i have db table below. 
url display db data is
url(r'^editinvoice/(?p<pk>\d+)/$',views.edit_invoice,name='editinvoice'), template.html code redirects page is
<a href="{% url "editinvoice" pk=invoices.id %}">{{ invoices.invoice_number }}</a></td> invoices.id foreign key of above db table.
the link passes correct pk , details correctly displayed. if change id in url, can see information if not user related it. should done information should available logged in user if user if owner of it.
for views method edit_invoice, use @login_required decorator. in method raise 403 error:
from django.core.exceptions import permissiondenied def edit_invoice(request, pk): invoice = invoice.objects.get(pk=pk) if invoice.user != request.user: raise permissiondenied see django docs @login_required.
also see django doc permissiondenied.
edit:
yea having "does not exist" makes more sense. common 1 raise 404 exception, if user visiting url doesn't exist:
from django.http import http404 raise http404
Comments
Post a Comment