I have a typical django view setup for adding a new or editing a current 'book' model (through forms). This is of the nature:
def bookedit(request, bookid=None):
if bookid:
book = get_object_or_404(Book, pk=bookid)
else:
book = Book()
if request.method == 'POST':
<form handling code.....>
I now want to put a decorator on this to limit editing to the user who created the Book. Using django-guardian I have the following decorator to wrap the above code:
@permission_required_or_403('myapp.edit_book', (Book, 'id', 'bookid'))
This works okay in the scenario of editing Books already created, i.e. a 403 will be thrown if the user is not the creator. However, in adding a new book the bookid is empty and crashes the decorator code. Is there a good way to handle this scenario (without separating out the edit and add functions)?
Thanks, Gerry
I'm sorry but that's not possible. django-guardian is not build for that request. Anyways I recommend to create all CRUD-views (create, read, update, delete) on their own.