Right now my all django staff-user can edit or delete others staff-user post. I want they only can able to be edit or delete their own post. How to restrict them to edit or delete others people post? here is my code:
views.py
class BlogPublishView(PermissionRequiredMixin,CreateView):
raise_exception = True
permission_required = "blog.add_post"
model = Post
form_class = BlogPost
template_name = "blog_post.html"
#fields = ['title','author','body']
class BlogUpdateView(PermissionRequiredMixin,UpdateView):
raise_exception = True
permission_required = "blog.change_post"
model = Post
template_name = "blog_update_post.html"
form_class = BlogPost
class BlogDeleteView(PermissionRequiredMixin,DeleteView):
raise_exception = True
permission_required = "blog.delete_post"
model = Post
template_name = "delete_blog_post.html"
success_url = reverse_lazy('blog')
urls.py
path('blog-post', BlogPublishView.as_view(), name='blog-post'),
path('blog-update/<slug:slug>', BlogUpdateView.as_view(), name='blog-update'),
path('blog-delete/<slug:slug>', BlogDeleteView.as_view(), name='blog-delete'),
Let you explain little bit more if you still now don’t understand my problem. Assume I have three user in my djano admin panel “A”, “B” and “C”. user “A” is Admin and user “B” and “C” is staff-user. User “B” and “C” have permission only edit, delete and publish post from admin panel. The problem is user “A” can edit and delete user “B” post. I want to restrict staff-user “A” to edit or delete staff-user B post.
Your question is not clear.
Are you talking about restricting functionality in the Django admin facility? Or are you looking to apply a type of row-level security in your views that you have identified here?
They’re two different things with two different answers.
KenWhitesell Thanks for your replay. Let you explain. Assume I have two user in django “A” and “B”. I give them permission to publish blog from my django admin panel. They are not admin user. They can just post blog, edit blog and delete blog. The main problem user “A” can edit and delete post of user “B” which I don’t want. I want user “A” and “B” can only edit or delete their own post from django admin panel.
I’m sorry, your response hasn’t answered my question.
You refer to views you have posted earlier, and you make comments about “my django admin panel”.
Are you talking about restricting the functionality in the views you have created, or are you talking about restricting the functionality of the Django admin facility?
restricting the functionality of the Django admin facility
You can extend your ModelAdmin classes by overriding the has_add_permission, has_change_permission and has_delete_permission to check if the User making the request has the permissions necessary to perform those actions.
You can also override the get_queryset method to restrict the list of objects seen by a User. See the example on that page.
How to make sure user “A” can’t be edit or delete user “B” Post in ModelAdmin???
How to make sure user “A” can’t be edit or delete user “B” Post in ModelAdmin???
Create a has_change_permission and has_delete_permission methods in your ModelAdmin class. Perform whatever test needs to be performed to determine whether or not the person making the request has the permissions to change or delete that specific instance. Return True if they can, False if they can’t.
Thanks for your suggestion. I solved it by using get_queryset.
here is my get_queryset code:
def get_queryset(self, request):
qs = super().get_queryset(request)
if request.user.is_superuser:
return qs
return qs.filter(author=request.user)
now staff_user “A” can only see his own post from django admin panel. Thanks again for your suggestion. User “A” and “B” was capable to view, edit and delete each other blog post before apply this get_queryset.