[SOLVED] Viewing or Editing their own Profile who is currently login

Issue

This Content is from Stack Overflow. Question asked by Kimberly Chan

I am editing profile using Django framework. The problem lies where the user login can see the profile of other user when they change the id in the web address. Could someone help me so that I can only view the user’s profile who is login and if they change the id they will receive an error. Thanks

Edit User Profile

@login_required(login_url = 'signin')
@user_passes_test(check_role_super)
def sa_profile_edit(request, user_id=None):

    user = get_object_or_404(User, pk=user_id)
    user_profile = get_object_or_404(userMember, pk=user_id)
    if request.method == 'POST':
        form = UserFormAdmin(request.POST or None, instance=user)
        form_profile = MemberForm(request.POST or None, instance=user_profile)
    else:
        form = UserFormAdmin(instance=user)
        form_profile = MemberForm(instance=user_profile)       
    context = {
        'form': form,
        'user': user,
        'form_profile': form_profile,
        'user_profile': user_profile
     }
    return render(request, 'pages/sa_editProfile.html', context)

If role is super

def check_role_super(user):
    if user.role == 3:
        return True
    else:
        raise PermissionDenied

Model

class User(AbstractBaseUser):
    MEMBER = 1
    ADMIN = 2
    SUPERADMIN = 3
    ROLE_CHOICE = (
        (MEMBER, 'Member'),
        (ADMIN, 'Admin'),
        (SUPERADMIN, 'Super Admin')
    )

    ACTIVE = 1
    DELETED = 2
    DEACTIVATED = 3

    STATUS = (
        (ACTIVE, 'Active'),
        (DELETED, 'Deleted'),
        (DEACTIVATED, 'Deactivated')
    )

    first_name = models.CharField(max_length=50)
    middle_name = models.CharField(max_length=50, default="Some String")
    last_name = models.CharField(max_length=50)
    username = models.CharField(max_length=50, unique=True)
    email = models.EmailField(max_length=100, unique=True)
    mobile_number = models.CharField(max_length = 100, db_index=True, null = True, 
validators=[
    
            RegexValidator(
                regex='^(+d{1,3})?,?s?d{8,13}',
                message='Phone number must not consist of space and requires country 
code. eg : +639171234567',
            ),
        ])
    password = models.CharField(max_length = 100,validators=[MinLengthValidator(8),
        
        ])
    role = models.PositiveSmallIntegerField(choices=ROLE_CHOICE, blank=True, null=True)
    status = models.PositiveSmallIntegerField(choices=STATUS, blank=True, null=True)

# required fields
    date_joined = models.DateTimeField(auto_now_add=True)
    last_login = models.DateTimeField(auto_now_add=True)
    created_date= models.DateTimeField(auto_now_add=True)
    modified_date = models.DateTimeField(auto_now_add=True)
    is_admin = models.BooleanField(default=False)
    is_staff = models.BooleanField(default=False)
    is_active = models.BooleanField(default=False)
    is_superadmin = models.BooleanField(default=False)

    USERNAME_FIELD = 'username'
    REQUIRED_FIELDS = ['email', 'first_name', 'middle_name', 'last_name', 'mobile_number']

    objects = UserManager()

    def __str__(self):
        return self.username

    def has_perm(self, perm, obj=None):
        return self.is_admin

    def has_module_perms(self, app_label):
        return True

    def get_role(self):
        if self.role == 1:
            user_role = 'Member'
        elif self.role == 2:
            user_role = 'Admin'
        elif self.role == 3:
            user_role = 'Super Admin'
        return user_role

    def get_status(self):
        if self.status == 1:
            user_status = 'Active'
        elif self.status == 2:
            user_status = 'Deleted'
        elif self.status == 3:
            user_status = 'Deactivated'
        return user_status

class userMember(models.Model):
    user = models.OneToOneField(User, on_delete=models.CASCADE, primary_key=True)
    birthdate = models.DateField(blank=True, null=True)
    profile_picture = models.ImageField(upload_to='users/profile_pictures', blank=True, null=True)
    cover_color = ColorField(format='hexa', blank=True, null=True)
    upload_id = models.ImageField(upload_to='member/id', blank=True, null=True)
    created_at = models.DateTimeField(auto_now=True)
    modified_at = models.DateTimeField(auto_now=True)

    def __str__(self):
        return self.user.username



Solution

You can get the current user from the request instead, replace user = get_object_or_404(User, pk=user_id) with:

user = request.user
if not user.is_authenticated:
    raise Http404()


This Question was asked in StackOverflow by Kimberly Chan and Answered by Đào Minh Hạt It is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?