0

How can I prevent a user from modifying a post that does not correspond to him? Example: a user enters to: www.localhost: 8080 / profile / number / emergency / update / 1 <- avoid that the auto-incremental post that the database has (the model) I can not modify to one that does not correspond to he.

Example of a view I have

view.py 

def EmergenciaUpdate(request, emergencia_id):
     instancia = get_object_or_404(Emergencia,id=emergencia_id)
     form = EmergenciaUpdateForm(request.POST or None, instance=instancia)
     if request.method == 'POST':
         if form.is_valid():
             form.save()
             return redirect('emergencialista')
     return render(request, 'app/emergenciaupdate.html', {'emergencia_update_form':form})

url.py

url(r'^perfil/numero/emergencia/update/(?P<emergencia_id>\d+)/$', EmergenciaUpdate, name='emergenciaupdate'),
CLG
  • 43
  • 1
  • 4
  • 1
    What you are asking for is authorization. You should store the user who created the post in the db. Ensure the user that is sending the request is the same user. To do this, you will need authentication, to ensure the user is who they say they are. Django has an authentication and authorization system built in: https://docs.djangoproject.com/en/2.0/topics/auth/ – Geoff Lentsch Jul 13 '18 at 03:10
  • This question is related and has some possible solutions: https://stackoverflow.com/questions/5531258/example-of-django-class-based-deleteview . Not necessarily a duplicate though, as you're not using class-based views at the moment. – Marius Jul 13 '18 at 03:16
  • I use function for that. Class-based has no problem. – CLG Jul 13 '18 at 03:35

0 Answers0