Django: UpdateView restrict per user

Question

I have a site where users can create and edit their own lists.

I'm using the generic view CreateView to allow users to create lists.

I would like to use the generic view UpdateView to allow them to edit the lists, but the login_required=True is not enough in this case, since only the list creator can edit his/her list.

2 questions:

1) is there any parameter that I can specify in the URLconf to add this restrictions?

2) can I impose the those generic views should only work with POST and not GET?

Thanks

Answer 1

You could override get_queryset on the UpdateView:

def get_queryset(self):
    base_qs = super(YourListUpdateView, self).get_queryset()
    return base_qs.filter(user=self.request.user)

Answer 2

1) you can write decorator and use it same way as login_required decorator, ie:

def user_permitted(function):
    def decorator(function):
        def _wrapped_view(request, *args, **kwargs):
            # get obj from request
            if obj.user != request.user:
                return HttpResponseRedirect(reverse('forbidden'))
            return function(request, *args, **kwargs)
        return _wrapped_view
    return decorator(function)

2) yes, see decorators and Decorating class-based views