Home/ Questions/Q 8700985
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T02:17:32+00:00

I have this page :8000/edit/6/ that show a form to update an exciting model

  • 0

I have this page :8000/edit/6/ that show a form to update an exciting model and i logged in as X, if i looged in as Y and try to open that page i can see it and update. So this is with no doubt a big bug and dangerous.

Here is my view code

class VideoUpdate(UpdateView):
   form_class = VideoForm
   model = Video
   template_name = 'videos/video_update.html'

   @method_decorator(login_required)
   def dispatch(self, *args, **kwargs):
      return super(VideoUpdate, self).dispatch(*args, **kwargs)

   def form_valid(self, form):
      messages.info(self.request, _('Event is updated successfully'))
      return super(VideoUpdate, self).form_valid(form)

Is there a way to check the model object id with the user id. A simple question from a newbie

Solution:

Actually there are two solutions that works for me in views.py, one is using the get_queryset method

def get_queryset(self):
    base_qs = super(VideoUpdate, self).get_queryset()
    return base_qs.filter(user=self.request.user.get_profile)

or using get_object method

def get_object(self):
    video = get_object_or_404(Video, pk=self.kwargs['pk'])
    if video.user != self.request.user.get_profile():
        raise Http404
    return video
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your question is not entirely clear to me but I think you want to restrict a view from registered but unauthorized users. Usually, this can be better achieved in your views instead of your models:

    # views.py

def edit_form(request, parameter_indicating_user):
  user = request.user

  if #some logic:
    # if user is equal to the user indicated by some parameter 
    # (id, username, etc) then allow that view to be rendered
  else:
    raise Http404 # or redirect the unauthorized user
    • 0