Only let you delete your own posts

This commit is contained in:
Andrew Godwin 2022-11-27 00:55:19 -07:00
parent 9cd1fccde5
commit 0f77f0ba96

View File

@ -1,5 +1,5 @@
from django import forms from django import forms
from django.http import JsonResponse from django.http import Http404, JsonResponse
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
from django.views.generic import FormView, TemplateView, View from django.views.generic import FormView, TemplateView, View
@ -145,6 +145,9 @@ class Delete(TemplateView):
def dispatch(self, request, handle, post_id): def dispatch(self, request, handle, post_id):
self.identity = by_handle_or_404(self.request, handle, local=False) self.identity = by_handle_or_404(self.request, handle, local=False)
self.post_obj = get_object_or_404(self.identity.posts, pk=post_id) self.post_obj = get_object_or_404(self.identity.posts, pk=post_id)
# Make sure the request identity owns the post!
if self.post_obj.author != request.identity:
raise Http404("Post author is not requestor")
return super().dispatch(request) return super().dispatch(request)
def get_context_data(self): def get_context_data(self):