From ab99c1c19c364ed654511d2d9ef9171f204db30d Mon Sep 17 00:00:00 2001 From: Anna Sidwell Date: Mon, 4 Mar 2019 20:03:43 +0000 Subject: [PATCH] Make sure users can only edit their own case studies --- apps/map/admin.py | 2 +- apps/map/views.py | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/apps/map/admin.py b/apps/map/admin.py index daa97de..797b81f 100644 --- a/apps/map/admin.py +++ b/apps/map/admin.py @@ -22,7 +22,7 @@ class CaseStudyAdminForm(forms.ModelForm): class CaseStudyAdmin(LeafletGeoAdmin): - list_display = ('id', 'date_created', 'entry_name', 'approved') + list_display = ('id', 'date_created', 'entry_name', 'approved', 'author') actions = ['approve', 'unapprove'] form = CaseStudyAdminForm diff --git a/apps/map/views.py b/apps/map/views.py index 964ab76..51e8629 100644 --- a/apps/map/views.py +++ b/apps/map/views.py @@ -1,7 +1,7 @@ import json from django.conf import settings -from django.contrib.auth.mixins import LoginRequiredMixin +from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin from django.core.mail import send_mail from django.db.models import Q from django.http import Http404, HttpResponse @@ -150,9 +150,20 @@ class BaseEditForm(LoginRequiredMixin, FilesHandlerMixin, UpdateView): model = CaseStudy -class EditCaseStudy(BaseEditForm): +class EditCaseStudy(UserPassesTestMixin, BaseEditForm): form_class = ShortCaseStudyForm + def test_func(self): + object = self.get_object() + if object.author: + author = object.author.id + else: + author = -1 + + return self.request.user.is_authenticated and ( + author is self.request.user.id + ) + class SpatialRefSysAutocomplete(autocomplete.Select2QuerySetView): def get_queryset(self):