I am using Django Generic view, DetailView.
But I'd like to block users to access to detail post who did not email_confirmed yet.
I have a email_confirmed field in User model.
My code is :
#method_decorator(login_required(login_url='/login/'), name='dispatch')
class RecruitView(generic.DetailView):
model = Recruit
template_name = 'recruit.html'
and I want to add :
if not request.user.email_confirmed:
error_message = "you did not confirmed yet. please check your email."
return render(request, 'info.html', {'error_message': error_message})
else: pass
How can I add this condition to DetailView?
(I tried to override 'as_view' but I don't know how to do it)
I would use the PermissionRequiredMixin. With this you can specify specific permissions users need to have or override the has_permission method.
from django.contrib.auth.mixins import PermissionRequiredMixin
class RecruitView(PermissionRequiredMixin, generic.DetailView):
...
login_url = '/login/'
permission_denied_message = 'you did not confirmed yet. please check your email.'
def has_permission(self):
return self.request.user.email_confirmed
This will redirect users without the email_confirmed to the login_url where you can display the error message. In order to use the index.html template instead you might need to override the handle_no_permission method.
Related
I created a class base create view.When i try to submite the post model create view. it will return
NOT NULL constraint failed: spring_post.publisher_id
how can i set the publisher the get the current logged in user and set it to the post piblisher field.
im a beginner
this is the publisher field in my post model
publisher=models.ForeignKey(User,on_delete=models.PROTECT)
#and this is my views
class PostCreateView(LoginRequiredMixin,CreateView):
model=Post
fields=['title','description']
redirect_field_name="login"
You need to set the .publisher of the post, so:
class PostCreateView(LoginRequiredMixin,CreateView):
model=Post
fields = ['title','description']
redirect_field_name = 'login'
def form_valid(self, form):
form.instance.publisher = self.request.user
return super().form_valid(form)
You probably should also specify the success_url [Django-doc] to specify where to redirect to if the POST request was successful.
Note: It is normally better to make use of the settings.AUTH_USER_MODEL [Django-doc] to refer to the user model, than to use the User model [Django-doc] directly. For more information you can see the referencing the User model section of the documentation.
I am new to Django
I am trying to convert my function-based views to class-based views. Here I ran into a problem.
I don't know whether the user is logged in or not. I can't call the user.is_authenticated inside my class-based view.
My Code:
class UserLoginView(FormView):
template_name = 'login.html'
form_class = UserLoginForm
success_url = reverse_lazy('login')
def form_valid(self, form):
user = authenticate(username=form.cleaned_data['username'], password=form.cleaned_data['password'])
if user is not None:
login(request=self.request, user=user)
print('Login Successfull')
return HttpResponseRedirect(self.success_url)
def form_invalid(self, form):
print('Login Failed')
return HttpResponseRedirect(self.success_url)
How can I check whether the user is already logged in and send him directly to the home page.
Thanks in advance.
As your requirement, you want to authenticate a user and send them to the home page after logged-in in a class-based view.
Here is what we can do. We can use the LoginRequiredMixin in your class-based home page view to help us to check is a user logged-in. If a user is not logged-in, they will be redirected to a login page we specified. Otherwise, execute the view normally and the user will be free to access the home page.
Example:
In views.py
from django.contrib.auth.mixins import LoginRequiredMixin
class HomeView(LoginRequiredMixin): # Add the LoginRequiredMixin
template_name = 'index.html'
login_url = '/login/' # Replace '/login/' with your login URL, an un-logged-in user will be redirect to this URL
One thing must care about while using the LoginRequiredMixin is the ordering.
Mostly we put the LoginRequiredMixin in the first position of inheritance if our class-based view inherited multiple classes. Because it makes sure the user is logged-in before the view does anything further for the user.
class HomeView(LoginRequiredMixin, ClassA, ClassB):
pass
You can get more information about LoginRequiredMixin in this page
I have two simple models
class User(AbstractUser):
pass
class Vacation(Model):
id = models.AutoField(primary_key=True)
owner = models.ForeignKey(User, on_delete=models.CASCADE)
I am not really sure what is the scalable way of doing user permissions for Django Rest Framework. In particular:
Users should only be able to see their own vacations
On the /vacation endpoint, user would see a filtered list
On the /vacation/$id endpoint, user would get a 403 if not owner
Users should only be able to Create/Update vacations as long as they are the owners of that object (through Foreign Key)
What is the best way to achieve this in a future-proof fashion. Say if further down the line:
I add a different user type, which can view all vacations, but can only create/update/delete their own
I add another model, where users can read, but cannot write
Thank you!
From the docs:
Permissions in REST framework are always defined as a list of permission classes. Before running the main body of the view each permission in the list is checked. If any permission check fails an exceptions.PermissionDenied or exceptions.NotAuthenticated exception will be raised, and the main body of the view will not run.
REST framework permissions also support object-level permissioning. Object level permissions are used to determine if a user should be allowed to act on a particular object, which will typically be a model instance.
For your current need you can define your own Permission class:
class IsVacationOwner(permissions.BasePermission):
# for view permission
def has_permission(self, request, view):
return request.user and request.user.is_authenticated
# for object level permissions
def has_object_permission(self, request, view, vacation_obj):
return vacation_obj.owner.id == request.user.id
And add this permission to your view. For example on a viewset:
class VacationViewSet(viewsets.ModelViewSet):
permission_classes = (IsVacationOwner,)
One thing is important to notice here, since you will respond with a filtered list for '/vacations', make sure you filter them using the request.user. Because object level permission will not be applicable for lists.
For performance reasons the generic views will not automatically apply object level permissions to each instance in a queryset when returning a list of objects.
For your future requirement, you can always set the permissions conditionally with the help of get_permissions method.
class VacationViewSet(viewsets.ModelViewSet):
def get_permissions(self):
if self.action == 'list':
# vacations can be seen by anyone
# remember to remove the filter for list though
permission_classes = [IsAuthenticated]
# or maybe that special type of user you mentioned
# write a `IsSpecialUser` permission class first btw
permission_classes = [IsSpecialUser]
else:
permission_classes = [IsVacationOwner]
return [permission() for permission in permission_classes]
DRF has great documentation. I hope this helps you to get started and helps you to approach different use cases according to your future needs.
I would suggest you to use drf-viewsets link. We are going to use vacation viewset to do this work.
our urls.py
from your_app.views import VacationViewSet
router.register('api/vacations/', VacationViewSet)
our serializers.py
from rest_framework import serializers
from your_app.models import Vacation
class VacationSerializer(serializers.ModelSerializer):
class Meta:
model = Vacation
fields = ('id', 'owner',)
read_only_fields = ('id',)
our views.py
Here we are going to overwrite viewset's retrive and list method. There are other possible way to do that but i like this most as i can able to see what is happening in code. Django model viewset inherited link of drf-mixins retrive and list method.
from rest_framework import viewsets, permissions, exceptions, status
from your_app.models import Vacation, User
from your_app.serializers import VacationSerializer
class VacationViewSet(viewsets.ModelViewSet):
queryset = Vacation.objects.all()
permission_classes = [IsAuthenticated]
serializer = VacationSerializer
# we are going to overwrite list and retrive
def list(self, request, *args, **kwargs):
queryset = self.filter_queryset(self.get_queryset())
# now we are going to filter on user
queryset = queryset.filter(owner=self.request.user)
page = self.paginate_queryset(queryset)
if page is not None:
serializer = self.get_serializer(page, many=True)
return self.get_paginated_response(serializer.data)
serializer = self.get_serializer(queryset, many=True)
return Response(serializer.data)
def retrieve(self, request, *args, **kwargs):
instance = self.get_object()
# not permitted check
if instance.owner is not self.request.user:
raise exceptions.PermissionDenied()
serializer = self.get_serializer(instance)
return Response(serializer.data)
Django rest framework provides in-build settings for this
Just import the required permission and add it to you class variable permission_classes
in my_name.api.views
from rest_framework.permissions import ( AllowAny, IsAuthenticated, IsAdminUser, IsAuthenticatedOrReadOnly,)
class Vacation(ListAPIView):
serializer_class = VacationListSerializer
permission_classes = [IsAuthenticated]
You can add multiple permission classes as a list
Furthur, in case this is not helpful, you can always filter the model objects as
Mymodel.objects.filter(owner = self.request.user)
I am building a small blog using django.I want to build a function that allow post author to delete and update their own posts.
Then I find django has LoginMixin for generic view,but it only block those who don't login.
My article Model is like below
class Article(models.Model):
author = models.ForeignKey(User)
updated = models.DateTimeField(auto_now=True)
created = models.DateTimeField(auto_now_add=True)
title = models.CharField(max_length=50)
context = models.TextField()
genre_choice = (('O','Others'),('P','Programming'),('L','Learning'),('E','Entertainment'))
genre = models.CharField(max_length=2,choices=genre_choice,default='O')
def __str__(self):
return "{} - {}".format(self.title,self.author)
def get_absolute_url(self):
return reverse("article-detail",args=str(self.id))
This is the generic article detail view.
class ArticleDetail(DetailView):
model = Article
I firstly want to add something like this in the detail template:
{% if article.author == user.username%}
<!-- Some a tag that directs to the update view -->
{% endif %}
Then I realize that this just hides the a tag ,it can't stop other users to touch the update url simply change the url.
Is there anyway in django can restricted the update and delete permissions to the original user by simply using generic view?Even if they directly enter the update url,they will be rejected.
Override get_queryset in your UpdateView, so that the user can only access items that they authored. Use the LoginRequiredMixin to ensure that only logged-in users can access the view.
from django.contrib.auth.mixins import LoginRequiredMixin
class UpdateArticle(LoginRequiredMixin, UpdateView):
model = Article
def get_queryset(self):
queryset = super(UpdateArticle, self).get_queryset()
queryset = queryset.filter(author=self.request.user)
return queryset
In the template, I would compare the author_id with the user's primary key to decide whether to show the link or not.
{% if article.author_id == user.pk %}
One option is to create your own mixin/decorator to check if the logged user is the author, if not then reload/show a message etc.
I believe a safer way now would be to use built-in mixin UserPassesTestMixin. In particular, you can inherit it in your class and change its test_func() to check for the author. Don't forget to also inherit LoginRequiredMixin to make sure the user is logged in:
from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
class UpdateArticle(LoginRequiredMixin, UserPassesTestMixin, UpdateView):
model = Article
def test_func(self):
thisArticle = self.get_object()
if self.request.user == thisArticle.author:
return True
return False
If a user who is not the author attempts to update the article, '403 Forbidden' Error is returned which is just what you want in such a situation.
I am trying to create custom fields for users to enter on signup with django-allauth. I have referred to several posts about this, but I am not able to get my custom form to save to my database. I do get a combined form on my signup.html page with username, password1 and 2, email and my extra fields of city and school, but I am not able to save the extra fields to the database. I have run syncdb and can see my User Profile table in the admin area.
This advice is the closest I have come to the answer but I do not understand how to implement it: "You can't use UserProfileForm to the allauth.SIGNUP_FORM_CLASS. You need to extend it from SignUpForm and write a save method which will accept the newly created user as the only parameter," from this post:
Custom registration form for use with django-allauth
I have also attempted to integrate advice on this form these posts:
Django Allauth not saving custom form
How to customize user profile when using django-allauth
This is my code:
Models.py
from django.db import models
from django.contrib.auth.models import User
class UserProfile(models.Model):
# A required line - links a UserProfile to User.
user = models.OneToOneField(User)
# The additional attributes we wish to include.
school = models.CharField(max_length=128)
city = models.CharField(max_length=128)
def __unicode__(self):
return self.user.username
Forms.py
from django import forms
from django.contrib.auth.models import User
from myapp.models import UserProfile
from django.forms.widgets import HiddenInput
class UserProfileForm(forms.ModelForm):
class Meta:
model = UserProfile
fields = ('city', 'school')
def signup(self, request, user):
user=User.objects.get(email=request.email)
city=request.POST.get('city','')
school=request.POST.get('school','')
userprofile_obj = UserProfile(user=user,city=city,school=school)
userprofile_obj.save()
Settings.py
ACCOUNT_SIGNUP_FORM_CLASS = 'myapp.forms.UserProfileForm'
My template is the basic Signup.html from the django-allauth templates and I do not have a view made for this, although I attempted to make one from the tangowithdjango user authentication section register view, and this gave similar behavior (not saving to the database).
Thanks,
Kelly
Not sure if this is still an active question/issue for the original poster: if so, and for anyone else who comes across this, a few things to correct to at least move in the right direction:
I don't see an __init__() method that calls the superclass? E.g.:
def __init__(self, *args, **kwargs):
super(SignupForm, self).__init__(*args, **kwargs)
use the user parameter to the signup method. It should be populated; don't reload it.
Ensure the two objects are linking correctly (I didn't use Django to build my profile table so YMMV but I set user.profile = Profile(...); then execute user.profile.save() at the end of my signup() method.
get the values to place into the profile from the form cleaned_data (e.g. self.cleaned_data['city'] not the POST.
Then start debugging: is your signup() method firing? What does it get? What happens when you execute the profile.save() method?