let us say,
owner can create update delete data where staff can only view and edit the data stored by owner.
For handling such king of requirements in python there is much easier and secure way of doing.
lets go through it now.
create decorators.py inside the app where you need to authorize multiple user with multiple functionality.
inside decoratrs.py
from django.core.exceptions import PermissionDenied
from hotel.models import Hotels
def hotel_create_decorator(function):
def wrap(request, *args, **kwargs):
if request.user.is_hotel_owner==True:
return function(request, *args, **kwargs)
else:
raise PermissionDenied
return wrap
def hotel_update_decorator(function):
def wrap(request, *args, **kwargs):
entry = Hotels.objects.get(pk=kwargs['pk'])
if request.user.is_hotel_staff==True
and entry.owner_id_id == request.user.owner_id_id:
return function(request, *args, **kwargs)
else:
raise PermissionDenied
return wrap
here to update if the requested user is staff and if owner of the hotel is associated with the owner_id_id of the staff table then that staff can update the information about the hotel,
and for create:
if the logged in user is the owner then they can create the hotel
Now ,
inside views.py of teh app :
from django.contrib.auth.decorators import login_required
from django.utils.decorators import method_decorator
from hotel.decorators import hotel_update_decorator
from hotel.decorators import hotel_delete_decorator
@method_decorator([login_required],name='dispatch')
class HotelDetail(DetailView):
model=Hotels
template_name='hotel/show.html'
queryset=Hotels.objects.all()
@method_decorator(login_required,name='dispatch')
@method_decorator(hotel_update_decorator,name='dispatch')
class HotelUpdate(SuccessMessageMixin,UpdateView):
template_name='hotel/create.html'
model=Hotels
form_class=HotelForm
success_message='Information Updated Successfully'
success_url=reverse_lazy('hotelindex')
queryset=Hotels.objects.all()
def form_invalid(self,form):
messages.warning(self.request,form.errors)
return self.render_to_response(self.get_context_data(object=form.data))
def get_context_data(self, **kwargs):
context = super(HotelUpdate, self).get_context_data(**kwargs)
context['owners'] = HotelOwner.objects.all().order_by('id').reverse()
return context
here, @method_decorator(hotel_update_decorator,name='dispatch')
refers to the hotel_update_decorator function of the decorators.py , if the condition inside of the function i.e.(hotel_update_decorator) all are satisfied then you will be able to update , else you will obtain forbidden message.
here, in the above code you have seen
@method_decorator(login_required,name='dispatch')
this refers that: login is required , write this kine at the top of the class where you feels it is nessary to be logged in for accessing that feature of the app.
another way:
inside urls.py
from django.contrib.auth.decorators import login_required
path('', login_required(views.HotelListView.as_view()), name="hotelindex"),
Simply this is done now,
No comments:
Post a Comment