#100DaysOfWeb in Python Transcripts
Chapter: Days 53-56: Django part 2 - registration and login
Lecture: Update templates to only show edit buttons to quote owners

Login or purchase this course to watch this video and the rest of the course contents.
0:01 Okay, let's start making the changes
0:03 required to have users submit and edit their own quotes.
0:09 So, lets check at the files we have in applications.
0:12 We have forms, views, the model we did in the last lesson.
0:17 Let's first review forms. This is okay.
0:20 Because I define 'quote', 'other', 'source' and 'cover'
0:23 as the fields that should show up in the form.
0:27 But I actually can shorten this a little bit.
0:28 Because instead of stating the fields explicitly
0:31 we can just say, "Give me all the fields,"
0:33 and exclude the new user field.
0:42 And that's because in the view, we will set the user
0:45 upon save, or add.
0:47 And we load the user then in from the request session.
0:50 So, I want all the fields in my form except user.
0:53 Okay? Then, the views.
0:57 We have quote_new and quote_edit'.
0:59 Here we need to do a little bit of ORM magic.
1:02 So, when the form is valid
1:03 this is saved to the database.
1:06 But we don't save the user yet.
1:07 So what we want to do here is
1:09 to do a commit=False'
1:12 so don't commit it yet.
1:15 Write the user to the user field
1:20 And then save the form.
1:24 And here I want to actually assign it to a variable.
1:26 So save the form like a draft, so to say.
1:30 Add the user to it.
1:32 And then save it to the database.
1:34 And this code is actually the same in the edit action.
1:38 So you could actually factor this out
1:39 because it's duplicate code, but
1:41 for now we leave it like this.
1:43 So upon save, on add or edit, the request user
1:47 which is the current user that's editing
1:49 that's in the request session variable
1:51 that's passed into every view.
1:54 That user gets set on the form object
1:57 and saved to the database.
1:58 Now I need to update the templates.
2:04 And let's start with quotes_list.
2:08 First of all, there's this 'Add a quote' button.
2:11 But that should only be visible for logged-in users.
2:14 So let's wrap this in a conditional.
2:17 And we saw that before, we can do
2:19 if request.user.is_authenticated
2:26 we can show this button.
2:30 Else, we can actually show a log-in button.
2:35 So the same HTML.
2:41 But the link changes. To login.
2:50 Let's see this in action.
2:53 So, here I'm logged in, let's quickly log out.
2:56 Still shows edit quote.
2:59 Ah, because I didn't update the link text.
3:08 Let's try it now. There you go.
3:11 Login to add quotes. And I can login
3:16 and the button changed to add a quote.
3:18 Great. Here I need to make two more changes
3:22 and that's to show the edit buttons only
3:25 for the current user's quotes.
3:27 And I want to show the user that added the quote
3:29 and we can do that, for example, in the same column
3:32 as the time-stamp.
3:36 So the quote object will have a new user field
3:39 as defined in the model.
3:41 So I'm just bouncing that here.
3:43 And here, I make another conditional
3:46 if quote.user == request.user
3:52 Then show me the edit buttons.
3:59 Else, to have a proper layout of the table
4:02 I'm just going to show the table cell
4:06 with colspan = 2. So, 2001, so to say.
4:14 And that's just that the table still flows
4:16 if there's no buttons.
4:20 And we get proper styling.
4:22 Okay, so this looks for all the quotes
4:24 and if the quote was added by the user that's currently
4:28 logged-in, then we provide him or her
4:31 edit and delete buttons, otherwise, nothing.
4:36 Okay, and this won't work out of the box
4:38 because there's not a user associated to this quote yet.
4:44 Let me quickly make a super-user.
4:57 To run the server.
5:05 Right, now I'm having permission to go to the back-end.
5:13 Let me just delete this quote.
5:16 And start fresh, add a quote.
5:26 So here's it's my quotes I can edit and delete.
5:31 Let me log-in as the other user.
5:36 Add a quote. And that works.
5:52 So, here I'm logged-in as PieBob, so I can only
5:54 edit my own quote, and the buttons won't show up
5:57 for quotes added by another user.
6:00 And that's because of the template changes we just made.
6:03 Perfect. There's only one final thing we need to fix.
6:06 And that's that I can still go in to other quotes
6:09 when I know the URL.
6:10 So, here, obviously can go into three, because that's mine.
6:14 But I can hack the URL
6:17 and hey, here I can edit somebody else's quote.
6:20 That should never be possible, of course.
6:21 So in the next video, we're going to protect
6:24 the edit and delete quote end points
6:27 so that they only will work for the current user.