Home/ Questions/Q 8578567
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T20:25:13+00:00

Lets just suppose that we have following url: example.com/users/1 if user with ID=1 opens

  • 0

Lets just suppose that we have following url:

example.com/users/1

if user with ID=1 opens it, user receive info about his account, but if user switch 1 with 2, then he can view other user details as well, and we of course do not want that, so I have following solutions:

1) just pass currently logged in user id threw request.user.id inside a template

2) add permission, but I did not find type of permissions that would allow me to do that. Of course I could create dozens of permissions each for each user, but of course that is very nasty way.

Any other ideas how to cope with that in Django?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can either fill context with the request which makes sure the user will never see another user’s data, e.g. (using CBVs):

    class AccountView(TemplateView):
    """
    Generic account view
    """
    template_name = "users/account.html"

    def get_context_data(self, **kwargs):
        context = super(AccountView, self).get_context_data(**kwargs)
        context['user'] = User.objects.get(id=self.request.user.id) 
        return context

    @method_decorator(login_required(login_url=reverse('login')))
    def dispatch(self, *args, **kwargs):
        return super(AccountView, self).dispatch(*args, **kwargs)

    Another approach, to make sure ‘fake’ urls render 404’s is to write an owner_required decorator, e.g.:

    def owner_required(function):
    @wraps(function)
    def decorator(*args, **kwargs):
        request = args[1]
        user = get_object_or_404(User, username=request.user.username)
        if user.is_authenticated() and user.username == kwargs.get('slug'):
            return function(*args, **kwargs)
        raise Http404
    return decorator
    • 0