Is this a secure way to prevent others to delete?

Using Django Forms & APIs
1

I’m using Class Based Views.

This is a class based view for comment delete where I use UserPassesTextMixing to prevent other uses to delete a comment. Only the author of the comment can delete the comment.

class CommentDeleteView(LoginRequiredMixin, UserPassesTestMixin, DeleteView):
    # Requires model_confirm_delete.html template name
    model = Comment
    success_url = reverse_lazy('dicoms:patients_list')

    def test_func(self):
        obj = self.get_object()
        return obj.author == self.request.user

    def get_success_url(self):
        return reverse_lazy('dicoms:dicom_detail', kwargs={'pk': self.object.dicom_file.id})

Is this a secure enough? Or is it ridiculously insecure?

I mean is using UserPassesTextMixing like this in class based views a secure way to control who can do what? Or is it ridiculously insecure?

2

It looks secure enough to me if you are comparing with request.user. Check out the security docs to see if you could be doing something wrong if you’re worried though. Security in Django | Django documentation | Django

3

That’s exactly how it should be done.

Side Note: You do not need LoginRequiredMixin with UserPassesTestMixin. If a request is not authenticated (person is not logged in), their request is identified as from AnonymousUser. Since AnonymousUser is (most likely) not the author, the test will fail and the request will be rejected. You do not need the second test to verify that the request is not coming from AnonymousUser.