Limit version editing to creator and superusers

2023-03-11 17:52:44 +01:00 · 2023-03-11 17:52:44 +01:00 · 8f79bf5dd2
parent f38fb8d410
commit 8f79bf5dd2
2 changed files with 5 additions and 2 deletions
--- a/recipes/views.py
+++ b/recipes/views.py
@ -1,4 +1,4 @@
-from django.shortcuts import render, get_object_or_404
+from django.shortcuts import render, get_object_or_404, redirect
 from .models import Recipe, Version, Ingredient
 from .forms import RecipeForm, VersionForm, IngredientFormSet
 from django.contrib.auth.decorators import login_required
@ -113,6 +113,9 @@ def edit_version(request, slug_recipe, slug_version):
 	recipe = get_object_or_404(Recipe, slug=slug_recipe)
 	version = get_object_or_404(Version, recipe=recipe, slug=slug_version)

+	if version.user != request.user and not request.user.is_superuser:
+		return redirect(f"/accounts/login/?next={request.path}")
+
 	if request.method == 'POST':
 		version_form = VersionForm(request.POST, prefix=VERSION_FORM_PREFIX, instance=version, author_placeholder=get_name_of_user(request.user))
 		ingredients_formset = IngredientFormSet(request.POST, queryset=version.ingredients.all(), prefix=INGREDIENTS_FORMSET_PREFIX) # type: ignore
--- a/templates/registration/login.html
+++ b/templates/registration/login.html
@ -11,7 +11,7 @@
 {% if next %}
 <section>
 	{% if user.is_authenticated %}
-	<p>You are not authorized to access this site. Please inform Benjamin to get the corresponding authorization or log in with an account with the necessary permissions.</p>
+	<p>You are not authorized to access this site. Please log in with an account with the necessary permissions.</p>
 	{% else %}
 	<p>Please log in to view this site.</p>
 	{% endif %}