Make sure users can only edit their own case studies

2019-03-04 20:03:43 +00:00 · 2019-03-04 20:03:43 +00:00 · ab99c1c19c
commit ab99c1c19c
parent 07f9bed096
2 changed files with 14 additions and 3 deletions
--- a/apps/map/admin.py
+++ b/apps/map/admin.py
@ -22,7 +22,7 @@ class CaseStudyAdminForm(forms.ModelForm):


 class CaseStudyAdmin(LeafletGeoAdmin):
-    list_display = ('id', 'date_created', 'entry_name', 'approved')
+    list_display = ('id', 'date_created', 'entry_name', 'approved', 'author')
    actions = ['approve', 'unapprove']
    form = CaseStudyAdminForm

--- a/apps/map/views.py
+++ b/apps/map/views.py
@ -1,7 +1,7 @@
 import json

 from django.conf import settings
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.core.mail import send_mail
 from django.db.models import Q
 from django.http import Http404, HttpResponse
@ -150,9 +150,20 @@ class BaseEditForm(LoginRequiredMixin, FilesHandlerMixin, UpdateView):
    model = CaseStudy


-class EditCaseStudy(BaseEditForm):
+class EditCaseStudy(UserPassesTestMixin, BaseEditForm):
    form_class = ShortCaseStudyForm

+    def test_func(self):
+        object = self.get_object()
+        if object.author:
+            author = object.author.id
+        else:
+            author = -1
+
+        return self.request.user.is_authenticated and (
+            author is self.request.user.id
+        )
+

 class SpatialRefSysAutocomplete(autocomplete.Select2QuerySetView):
    def get_queryset(self):