I am trying to restrict access to records based on each customer so users can't access each others data through URL. I have added this but its restricting everything.
if request.user.customer != Infringement.customer:
return HttpResponse('Your are not allowed here!!')"
views.py
@login_required(login_url='login')
def infringement(request, pk):
if request.user.customer != Infringement.customer:
return HttpResponse('Your are not allowed here!!')
infringement = Infringement.objects.get(id=pk)
notes = infringement.note_set.all().order_by('-created')
if request.method == "POST":
note = Note.objects.create(
customer=request.user.customer,
user = request.user,
infringement = infringement,
body=request.POST.get('body')
)
return redirect('infringement', pk=infringement.id)
context= {'infringement': infringement, 'notes': notes} return
render(request, 'base/infringements.html', context)
Try:
@login_required(login_url='login')
def infringement(request, pk):
infringement = Infringement.objects.get(id=pk)
if request.user.customer.id != infringement.customer.id:
return HttpResponse('Your are not allowed here!!')