#100DaysOfWeb in Python Transcripts
Chapter: Days 53-56: Django part 2 - registration and login
Lecture: Protecting views with Django's @login_required decorator
0:00 In this last video we're going to make sure
0:03 that a user can only edit or delete his or her own quotes.
0:07 In going back to the views
0:09 we have an attended lead fuse
0:11 that retrieve an object or 404.
0:14 And those are now wide open to all users.
0:16 I'm just going to make the query a bit more specific
0:20 to make sure that the user that's retrieving the quote
0:25 is the user that owns the quote.
0:29 I don't need to add in quote detail
0:31 because any user can view the quote.
0:33 It's only necessary for edit and delete.
0:41 Again, request gets passed into each field.
0:45 And here we update the query. Save that.
0:53 And let's try the thing again we did last time.
0:56 So three. That's my quote, that's fine.
1:02 And now we get a 404 because quote ID 2 is not my quote.
1:08 Finally when I log out
1:10 these URLs are accessible.
1:13 They fill with anonymous user because
1:16 at this point there's not a session.
1:18 So there's non a request.user
1:20 It will be a lot more elegant
1:22 if these routes would redirect me to a log in.
1:25 So let's do that next.
1:27 We're going to use
1:41 And what's nice about this decorator is that
1:43 it can decorate views. So quote_new
1:47 I can use it like @login_required.
1:51 Now this a great example of a decorator
1:54 because here's my quote_new function.
1:57 And I can wrap it with login_required decorator
2:01 which takes the view
2:02 checks if the user has logged in.
2:04 If so, returns to view.
2:06 If not, it redirects to the log in page.
2:10 So that's very nice because this is repeated behavior
2:14 and we all abstracted it away in a decorator
2:17 that comes with Django.
2:21 And that's it. Let's try it now.
2:24 I'm not logged in.
2:26 Boom. It redirects to accounts log in.
2:28 To the next URL parameter
2:31 of the relative URL it needs to go next to.
2:35 So I'm going to log in and there you go.
2:45 If I would have done this on quote two
2:48 I get a 404. So that still works.
2:53 Awesome. So we have a fully working app
2:57 with log in and registration
3:00 and even with some protection of the user's data.
3:03 I can edit a quote. I can delete a quote.
3:09 It's all working. I can add a quote.
3:14 Again it only shows delete of my own stuff
3:16 and not on somebody else's.
3:18 But of course it can still view the quote
3:21 and actually I should get rid of this edit button here.
3:26 So let's also fix that quickly.
3:28 And that's in the quotes/templates/qoutes/quote_detail.html.
3:35 So this edit button actually should only show
3:38 if the quote is from the user.
3:41 And we have seen this if before.
3:54 Let's try it out again.
3:56 This is not my quote so I don't have an edit button.
4:00 This is my quote so I have an edit button, great.
4:05 So now the app is done
4:07 a full-fledged Django app with registration and log in.
4:10 You can log in
4:14 reset password, we didn't try this.
4:21 It will send an email. I can register.
4:36 We saw that this sends an email, etc.
4:41 So that concludes the videos of this day.
4:45 And now you're ready to get into some practice.