1

For my "tutorial app", I created some specific permissions after creating an object. Only the object's author have to be able to update or delete it.

I'm a beginner and I'm here to learn, if my methods are ugly be tolerant.

Here my views.py

class CreateArticle(LoginRequiredMixin, generic.CreateView):

model = Article
context_object_name = 'article'
template_name = "blog/edit_article.html"
form_class = ArticleForm

def form_valid(self, form):
    self.object = form.save(commit=False)
    self.object.slug = auto_slug(self.object.titre)
    user = User.objects.get(id=self.request.user.id)
    self.object.auteur = user

    self.object.save()

    """On génère les 2 permissions suivantes :
        Modifier l'article dont on est l'auteur
        Supprimer l'article dont on est l'auteur"""

    content_type = ContentType.objects.get(app_label='blog', model='article')
    permission = Permission.objects.create(
        codename='edit_article_{0}'.format(self.object.id),
        name='Modifier l\'article {0}'.format(self.object.titre),
        content_type=content_type
    )
    user.user_permissions.add(permission)
    permission = Permission.objects.create(
        codename='delete_article_{0}'.format(self.object.id),
        name='Supprimer l\'article {0}'.format(self.object.titre),
        content_type=content_type
    )
    user.user_permissions.add(permission)

    messages.success(self.request, "L'article a été crée")
    return HttpResponseRedirect(self.get_success_url())

So I wanted to use those permissions in my UpdateArticle and DeleteArticle generic views. The problem is that they are specific and I don't know how to use it.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Léo Mouyna
  • 25
  • 1
  • 8

1 Answers1

4

You can create a custom permissions mixin to ensure that only the author is allowed to make changes to an existing article. Here's a quick example:

class SameUserOnlyMixin(object):

    def has_permissions(self):
        # Assumes that your Article model has a foreign key called `auteur`.
        return self.get_object().auteur == self.request.user

    def dispatch(self, request, *args, **kwargs):
        if not self.has_permissions():
            raise Http404('You do not have permission.')
        return super(SameUserOnlyMixin, self).dispatch(
            request, *args, **kwargs)

With this mixin, simply stick it before any generic classes in the views you'd like to use it in.

class CreateArticle(SameUserOnlyMixin, generic.CreateView):
    ...

Check out my other answer for more info.

Community
  • 1
  • 1
denvaar
  • 2,174
  • 2
  • 22
  • 26
  • Thanks, but in which file should I write the permission mixin ? – Léo Mouyna Aug 03 '16 at 21:41
  • 1
    @LéoMouyna you can put it at the top of your views file if you'd like, or create a new file called permissions.py and put it there. It's up to you. – denvaar Aug 03 '16 at 21:57
  • Thanks a lot for your help ! Next step , how can I know if this permission is true in a template ? Is perm received it ? – Léo Mouyna Aug 03 '16 at 22:09
  • @denvaar the code is working fine. But the dispatch method is called first, after the as_view() method right ?? then how actually it is getting executed after has_permissions() method ?? – rammanoj Oct 26 '18 at 17:11