Search code examples
djangorequesteditdjango-authentication

Django. How can I prevent another user from editing and deleting my listings?

Please help me implement these features so that another user cannot delete or edit my ads. So far, only unregistered users can not edit and delete.

@login_required
def listing_delete(request, listing_id):
    listing = Listing.objects.get(id=listing_id)
    listing.delete()
    return redirect('index')

@login_required
def listing_edit(request, listing_id):  
    form = ListingForm(instance = Listing.objects.get(id = listing_id))
    if request.method == "POST":
        form = ListingForm(request.POST, request.FILES, instance = Listing.objects.get(id = listing_id))    
        if form.is_valid():                 
            listing = form.save()
            return redirect('listing', listing_id)

    return render(request, 'listings/listing_edit.html', {'form': form})

@login_required
def listing_add(request):
    form = ListingForm()
    if request.method == "POST":
        form = ListingForm(request.POST, request.FILES)
        if form.is_valid():
            listing = form.save(commit=False)
            listing.realtor = request.user.realtor
            listing.save()
            return redirect('dashboard')

    return render(request, 'listings/listing_add.html', {'form': form})



 class Listing(models.Model):
            realtor = models.ForeignKey(Realtor, on_delete=models.CASCADE, verbose_name='Риэлтор')

...

class Realtor(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE, verbose_name='Пользователь', related_name='realtor')
Solution

  • You just need to check that the user making the POST request is the author (realtor) of the listing:

    @login_required
def listing_edit(request, listing_id):
    listing = Listing.objects.get(id=listing_id)  # avoid multiple database calls
    form = ListingForm(instance=listing)
    if request.method == "POST" and request.user == listing.realtor.user:
        form = ListingForm(request.POST, request.FILES, instance=listing)    
        if form.is_valid():                 
            listing = form.save()
            return redirect('listing', listing_id)

    return render(request, 'listings/listing_edit.html', {'form': form})

    The same applies for the delete view.

    @login_required
def listing_delete(request, listing_id):
    listing = Listing.objects.get(id=listing_id)
    if request.user == listing.realtor.user:
        listing.delete()
    return redirect('index')