From 839806b0d296f7cac349b2c955167cf6ebcf18e8 Mon Sep 17 00:00:00 2001 From: Ivlev Denis Date: Wed, 7 Feb 2018 16:12:56 +0300 Subject: [PATCH] LIL-183. Only you can edit your profile --- apps/user/views.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/apps/user/views.py b/apps/user/views.py index 8dc66d18..9ad82013 100644 --- a/apps/user/views.py +++ b/apps/user/views.py @@ -3,7 +3,10 @@ from django.shortcuts import render, reverse from django.views.generic import DetailView, UpdateView from django.contrib import messages from django.contrib.auth import get_user_model +from django.contrib.auth.decorators import login_required, permission_required from django.contrib.auth.hashers import check_password, make_password +from django.http import Http404 +from django.utils.decorators import method_decorator from apps.course.models import Course @@ -30,9 +33,15 @@ class UserEditView(UpdateView): template_name = 'user/profile-settings.html' form_class = UserEditForm + @method_decorator(login_required) + def dispatch(self, request, *args, **kwargs): + self.object = self.get_object() + if request.user != self.object: + raise Http404() + return super().dispatch(request, *args, **kwargs) + def post(self, request, *args, **kwargs): # it's magic *-*-*-*-* - self.object = self.get_object() if not request.POST._mutable: request.POST._mutable = True old_password = request.POST.pop('old_password')[0]