P
P
PreFireSkills2021-03-30 00:36:21
Django
PreFireSkills, 2021-03-30 00:36:21

How can I limit a user's access to only their own objects in Django?

Good evening!
I have a situation in which any authorized user can delete and edit posts created by any other user, if he knows the id of this post. How to create restrictions in Django that would create a condition under which the user can only edit and delete posts that he created himself.?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Andrew, 2021-03-30
@PreFireSkills

Add an owner or created_by field to the model, for example,
when saving an object, fill this field with a link (ForeignKey) to the current user.
When editing, check in the view that the current user is the owner (creator) of this object. If not, then optionally display a warning/access error and/or redirect it to another page (to the main page, for example).
Well, it is logical, in addition to the above, to make a page with a list of created posts, and only display a link for editing on them.
I outlined the action plan, do it yourself (google examples)

A
Anton Konovalov, 2021-03-30
@akonovalov

If you were to use the Django Rest Framework (aka "DRF"), then there are permissions and roles out of the box.
But if for some reason DRF does not suit you, I strongly recommend that you familiarize yourself with the RBAC ideology

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question