Django - View Other user profile

Question

I am using Django 1.6 to create a web app.. I have users and user profiles and have designed templates to display the profile information of the user.

class UserProfile(models.Model):
    class Meta:
        app_label = 'xyz'

    user = models.OneToOneField(User, related_name='user_profile')
    description = models.CharField(max_length=200)
    ... other fields ...

I have various edit buttons on the template where the user views his profile information. Also, a user can view another user's profile. In this case, the user should not be able to see the edit, delete or add buttons.

Are there in-built security mechanisms for this? What is the best way to implement this using Django 1.6?

Thanks in advance.

djangonaut djangonaut · Accepted Answer · 2015-03-12T06:14:18

Django has a default set of permissions (change, add, delete) for each model. You can use them in your template to hide the buttons or use a simple check if the user shown is also the user viewing the page.

{% if perms.accounts.change_user %}
Edit
{% endif %}

or

{% if edit_user == user %}
Edit
{% endif %}

Then also in your view on a POST request you want to check if someone is trying to change another user and return a HttpResponseForbidden.

from django.http import HttpResponseForbidden

...

if not request.user == user:
    return HttpResponseForbidden()

Django - View Other user profile

1 Answers