Django snippets: Owner required decorator

def owner_required(Model=None):
    """
    Usage:
    
    @permission_required('blogs.change_entry')
    @owner_required(Entry)
    def manage_entry(request, object_id=None, object=None):
    
    @permission_required('blogs.delete_entry')
    @owner_required()
    def entry_delete(*args, **kwargs):
        kwargs["post_delete_redirect"] = reverse('manage_blogs')
        return delete_object(*args, **kwargs)
    """
    def _decorator(viewfunc):
        def _closure(request, *args, **kwargs):
            user = request.user
            grant = False
            model = Model
            mod_edit = False
            if 'object_id' in kwargs:
                object_id = int(kwargs['object_id'])
                if model:
                    mod_edit = True
                elif 'model' in kwargs:
                    model = kwargs['model']
                object = get_object_or_404(model, pk=object_id)
                
                if user.is_superuser:
                    grant = True
                else:
                    if user.__class__ == model:
                        grant = object_id == user.id
                    else:
                        names = [rel.get_accessor_name() for rel in user._meta.get_all_related_objects() if rel.model == model]
                        if names:
                            grant = object_id in [o.id for o in eval('user.%s.all()' % names[0])]
                if not grant:
                    response = render_to_response("403.html", {'object': object}, context_instance=RequestContext(request))
                    response.status_code = 403
                    return response
                if mod_edit:
                    kwargs['object'] = object
                
            response = viewfunc(request, *args, **kwargs)
            return response
        
        return wraps(viewfunc)(_closure)
    return _decorator

More like this

Auth decorators with 403 by Magus 5 years, 12 months ago
View Permission Decorator Helper by jgeewax 4 years, 10 months ago
PK->objects in view signature by AdamKG 5 years, 1 month ago
permission_required with multiple permissions by uswaretech 3 years, 10 months ago
Delete View by alcides 4 years, 9 months ago

This decorator allows edit or delete for the owner of the record. Snippet applies for every model that has ForeignKey to User. Works for User model too. Works with other decorators as permission_required or similar.

Decorator raise http 403 view if user is not owner.

Usage

@permission_required('blogs.change_entry')
@owner_required(Entry)
def manage_entry(request, object_id=None, object=None):

Decorator populates object kwargs if object_id present, otherwise just returns original view function.

@permission_required('blogs.delete_entry')
@owner_required()
def entry_delete(*args, **kwargs):
    kwargs["post_delete_redirect"] = reverse('manage_blogs')
    return delete_object(*args, **kwargs)

In generic delete wrapper view returns original view function.

Author:: polarbear
Posted:: July 11, 2008
Language:: Python
Django Version:: .96
Tags:: decorator
Score:: 3 (after 3 ratings)

Django snippets

Owner required decorator

More like this

Tools

Comments

Snippets

About