File permissions checks

apps/files/views.py

@@ -1,4 +1,5 @@
-from django.shortcuts import render
+from django.core.exceptions import PermissionDenied
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import JsonResponse
 from django.shortcuts import render
 from django.views.generic import FormView, DetailView
@@ -6,16 +7,14 @@ from django.views.generic import FormView, DetailView
 from .forms import FileForm
 from .models import File
 
-class FileUploadView(FormView):
-    # FIXME require login
-
+class FileUploadView(LoginRequiredMixin, FormView):
     model = File
     form_class = FileForm
 
     def form_valid(self, form):
-        self.object = form.save()
-
-        # FIXME set File owner
+        self.object = form.save(commit=False)
+        self.object.user = self.request.user
+        self.object.save()
 
         return JsonResponse({
             'is_valid': True, 'url': self.object.file.url,
@@ -27,18 +26,18 @@ class FileUploadView(FormView):
         return JsonResponse({'is_valid': False, 'errors': form.errors})
 
 
-class FileDeleteView(DetailView):
-    # FIXME require login
-
+class FileDeleteView(LoginRequiredMixin, DetailView):
     model = File
 
     def get(self, request, *args, **kwargs):
         return self.post(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
-        # FIXME check file ownership
-
         self.object = self.get_object()
+
+        if request.user != self.object.user:
+            raise PermissionDenied
+
         self.object.delete()
         
         return JsonResponse({