From 8f79bf5dd218add993668ce637e14b9a978a27b2 Mon Sep 17 00:00:00 2001 From: Benjamin Date: Sat, 11 Mar 2023 17:52:44 +0100 Subject: [PATCH] Limit version editing to creator and superusers --- recipes/views.py | 5 ++++- templates/registration/login.html | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/recipes/views.py b/recipes/views.py index be05926..2ac5765 100644 --- a/recipes/views.py +++ b/recipes/views.py @@ -1,4 +1,4 @@ -from django.shortcuts import render, get_object_or_404 +from django.shortcuts import render, get_object_or_404, redirect from .models import Recipe, Version, Ingredient from .forms import RecipeForm, VersionForm, IngredientFormSet from django.contrib.auth.decorators import login_required @@ -113,6 +113,9 @@ def edit_version(request, slug_recipe, slug_version): recipe = get_object_or_404(Recipe, slug=slug_recipe) version = get_object_or_404(Version, recipe=recipe, slug=slug_version) + if version.user != request.user and not request.user.is_superuser: + return redirect(f"/accounts/login/?next={request.path}") + if request.method == 'POST': version_form = VersionForm(request.POST, prefix=VERSION_FORM_PREFIX, instance=version, author_placeholder=get_name_of_user(request.user)) ingredients_formset = IngredientFormSet(request.POST, queryset=version.ingredients.all(), prefix=INGREDIENTS_FORMSET_PREFIX) # type: ignore diff --git a/templates/registration/login.html b/templates/registration/login.html index 2004528..af8bf75 100644 --- a/templates/registration/login.html +++ b/templates/registration/login.html @@ -11,7 +11,7 @@ {% if next %}
{% if user.is_authenticated %} -

You are not authorized to access this site. Please inform Benjamin to get the corresponding authorization or log in with an account with the necessary permissions.

+

You are not authorized to access this site. Please log in with an account with the necessary permissions.

{% else %}

Please log in to view this site.

{% endif %}