0

Please help me implement these features so that another user cannot delete or edit my ads. So far, only unregistered users can not edit and delete.

@login_required
def listing_delete(request, listing_id):
    listing = Listing.objects.get(id=listing_id)
    listing.delete()
    return redirect('index')

@login_required
def listing_edit(request, listing_id):  
    form = ListingForm(instance = Listing.objects.get(id = listing_id))
    if request.method == "POST":
        form = ListingForm(request.POST, request.FILES, instance = Listing.objects.get(id = listing_id))    
        if form.is_valid():                 
            listing = form.save()
            return redirect('listing', listing_id)

    return render(request, 'listings/listing_edit.html', {'form': form})

@login_required
def listing_add(request):
    form = ListingForm()
    if request.method == "POST":
        form = ListingForm(request.POST, request.FILES)
        if form.is_valid():
            listing = form.save(commit=False)
            listing.realtor = request.user.realtor
            listing.save()
            return redirect('dashboard')

    return render(request, 'listings/listing_add.html', {'form': form})



 class Listing(models.Model):
            realtor = models.ForeignKey(Realtor, on_delete=models.CASCADE, verbose_name='Риэлтор')

...

class Realtor(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE, verbose_name='Пользователь', related_name='realtor')
Stanislav Konovalov
  • 37
  • 1
  • 6

1 Answers1

0

You just need to check that the user making the POST request is the author (realtor) of the listing:

@login_required
def listing_edit(request, listing_id):
    listing = Listing.objects.get(id=listing_id)  # avoid multiple database calls
    form = ListingForm(instance=listing)
    if request.method == "POST" and request.user == listing.realtor.user:
        form = ListingForm(request.POST, request.FILES, instance=listing)    
        if form.is_valid():                 
            listing = form.save()
            return redirect('listing', listing_id)

    return render(request, 'listings/listing_edit.html', {'form': form})

The same applies for the delete view.

@login_required
def listing_delete(request, listing_id):
    listing = Listing.objects.get(id=listing_id)
    if request.user == listing.realtor.user:
        listing.delete()
    return redirect('index')
p14z
  • 1,760
  • 1
  • 11
  • 17