#100DaysOfWeb in Python Transcripts
Chapter: Days 53-56: Django part 2 - registration and login
Lecture: Update templates to only show edit buttons to quote owners

Login or purchase this course to watch this video and the rest of the course contents.
0:01 Okay, let's start making the changes required to have users submit and edit their own quotes. So, lets check at the files we have in applications.
0:13 We have forms, views, the model we did in the last lesson. Let's first review forms. This is okay.
0:21 Because I define 'quote', 'other', 'source' and 'cover' as the fields that should show up in the form. But I actually can shorten this a little bit.
0:29 Because instead of stating the fields explicitly we can just say, "Give me all the fields," and exclude the new user field.
0:43 And that's because in the view, we will set the user upon save, or add. And we load the user then in from the request session.
0:51 So, I want all the fields in my form except user. Okay? Then, the views. We have quote_new and quote_edit'.
1:00 Here we need to do a little bit of ORM magic. So, when the form is valid this is saved to the database. But we don't save the user yet.
1:08 So what we want to do here is to do a commit=False' so don't commit it yet. Write the user to the user field And then save the form.
1:25 And here I want to actually assign it to a variable. So save the form like a draft, so to say. Add the user to it. And then save it to the database.
1:35 And this code is actually the same in the edit action. So you could actually factor this out because it's duplicate code, but
1:42 for now we leave it like this. So upon save, on add or edit, the request user which is the current user that's editing
1:50 that's in the request session variable that's passed into every view. That user gets set on the form object and saved to the database.
1:59 Now I need to update the templates. And let's start with quotes_list. First of all, there's this 'Add a quote' button.
2:12 But that should only be visible for logged-in users. So let's wrap this in a conditional. And we saw that before, we can do
2:20 if request.user.is_authenticated we can show this button. Else, we can actually show a log-in button. So the same HTML.
2:42 But the link changes. To login. Let's see this in action. So, here I'm logged in, let's quickly log out. Still shows edit quote.
3:00 Ah, because I didn't update the link text. Let's try it now. There you go. Login to add quotes. And I can login
3:17 and the button changed to add a quote. Great. Here I need to make two more changes and that's to show the edit buttons only
3:26 for the current user's quotes. And I want to show the user that added the quote and we can do that, for example, in the same column as the time-stamp.
3:37 So the quote object will have a new user field as defined in the model. So I'm just bouncing that here. And here, I make another conditional
3:47 if quote.user == request.user Then show me the edit buttons. Else, to have a proper layout of the table I'm just going to show the table cell
4:07 with colspan = 2. So, 2001, so to say. And that's just that the table still flows if there's no buttons. And we get proper styling.
4:23 Okay, so this looks for all the quotes and if the quote was added by the user that's currently logged-in, then we provide him or her
4:32 edit and delete buttons, otherwise, nothing. Okay, and this won't work out of the box because there's not a user associated to this quote yet.
4:45 Let me quickly make a super-user. To run the server.
5:06 Right, now I'm having permission to go to the back-end. Let me just delete this quote. And start fresh, add a quote.
5:27 So here's it's my quotes I can edit and delete. Let me log-in as the other user. Add a quote. And that works.
5:53 So, here I'm logged-in as PieBob, so I can only edit my own quote, and the buttons won't show up for quotes added by another user.
6:01 And that's because of the template changes we just made. Perfect. There's only one final thing we need to fix.
6:07 And that's that I can still go in to other quotes when I know the URL. So, here, obviously can go into three, because that's mine.
6:15 But I can hack the URL and hey, here I can edit somebody else's quote. That should never be possible, of course.
6:22 So in the next video, we're going to protect the edit and delete quote end points so that they only will work for the current user.


Talk Python's Mastodon Michael Kennedy's Mastodon