#100DaysOfWeb in Python Transcripts
Chapter: Days 53-56: Django part 2 - registration and login
Lecture: Protecting views with Django's @login_required decorator

Login or purchase this course to watch this video and the rest of the course contents.
0:00 In this last video we're going to make sure that a user can only edit or delete his or her own quotes. In going back to the views
0:10 we have an attended lead fuse that retrieve an object or 404. And those are now wide open to all users.
0:17 I'm just going to make the query a bit more specific to make sure that the user that's retrieving the quote is the user that owns the quote.
0:30 I don't need to add in quote detail because any user can view the quote. It's only necessary for edit and delete.
0:42 Again, request gets passed into each field. And here we update the query. Save that. And let's try the thing again we did last time.
0:57 So three. That's my quote, that's fine. And now we get a 404 because quote ID 2 is not my quote. Finally when I log out these URLs are accessible.
1:14 They fill with anonymous user because at this point there's not a session. So there's non a request.user It will be a lot more elegant
1:23 if these routes would redirect me to a log in. So let's do that next. We're going to use Django.contrib.auth.decorators.login_required
1:42 And what's nice about this decorator is that it can decorate views. So quote_new I can use it like @login_required.
1:52 Now this a great example of a decorator because here's my quote_new function. And I can wrap it with login_required decorator which takes the view
2:03 checks if the user has logged in. If so, returns to view. If not, it redirects to the log in page.
2:11 So that's very nice because this is repeated behavior and we all abstracted it away in a decorator that comes with Django.
2:22 And that's it. Let's try it now. I'm not logged in. Boom. It redirects to accounts log in. To the next URL parameter
2:32 of the relative URL it needs to go next to. So I'm going to log in and there you go. If I would have done this on quote two
2:49 I get a 404. So that still works. Awesome. So we have a fully working app with log in and registration
3:01 and even with some protection of the user's data. I can edit a quote. I can delete a quote. It's all working. I can add a quote.
3:15 Again it only shows delete of my own stuff and not on somebody else's. But of course it can still view the quote
3:22 and actually I should get rid of this edit button here. So let's also fix that quickly. And that's in the quotes/templates/qoutes/quote_detail.html.
3:36 So this edit button actually should only show if the quote is from the user. And we have seen this if before.
3:55 Let's try it out again. This is not my quote so I don't have an edit button. This is my quote so I have an edit button, great. So now the app is done
4:08 a full-fledged Django app with registration and log in. You can log in reset password, we didn't try this. It will send an email. I can register.
4:37 We saw that this sends an email, etc. So that concludes the videos of this day. And now you're ready to get into some practice.


Talk Python's Mastodon Michael Kennedy's Mastodon