Restricting access to class-based views

We are going to restrict access to the views so that only users with the appropriate permissions can add, change, or delete Course objects. We are going to use the following two mixins provided by django.contrib.auth to limit access to views:

  • LoginRequiredMixin: Replicates the login_required decorator's functionality.
  • PermissionRequiredMixin: Grants access to the view to users that have a specific permission. Remember that superusers automatically have all permissions.

Edit the views.py file of the courses application and add the following import:

from django.contrib.auth.mixins import LoginRequiredMixin, 
                                       PermissionRequiredMixin

Make OwnerCourseMixin inherit LoginRequiredMixin like this:

class OwnerCourseMixin(OwnerMixin, LoginRequiredMixin):
    model = Course
    fields = ['subject', 'title', 'slug', 'overview']
    success_url = reverse_lazy('manage_course_list')

Then, add a permission_required attribute to the create, update, and delete views, as follows:

class CourseCreateView(PermissionRequiredMixin,
                       OwnerCourseEditMixin,
                       CreateView):
    permission_required = 'courses.add_course'

class CourseUpdateView(PermissionRequiredMixin,
                       OwnerCourseEditMixin,
                       UpdateView):
    permission_required = 'courses.change_course'

class CourseDeleteView(PermissionRequiredMixin,
                       OwnerCourseMixin,
                       DeleteView):
    template_name = 'courses/manage/course/delete.html'
    success_url = reverse_lazy('manage_course_list')
    permission_required = 'courses.delete_course'

PermissionRequiredMixin checks that the user accessing the view has the permission specified in the permission_required attribute. Our views are now only accessible to users that have proper permissions.

Let's create URLs for these views. Create a new file inside the courses application directory and name it urls.py. Add the following code to it:

from django.urls import path
from . import views

urlpatterns = [
    path('mine/',
         views.ManageCourseListView.as_view(),
         name='manage_course_list'),
    path('create/',
         views.CourseCreateView.as_view(),
         name='course_create'),
    path('<pk>/edit/',
         views.CourseUpdateView.as_view(),
         name='course_edit'),
    path('<pk>/delete/',
         views.CourseDeleteView.as_view(),
         name='course_delete'),
]

These are the URL patterns for the list, create, edit, and delete course views. Edit the main urls.py file of the educa project and include the URL patterns of the courses application, as follows:

from django.urls import path, include

urlpatterns = [
    path('accounts/login/', auth_views.LoginView.as_view(), name='login'),
    path('accounts/logout/', auth_views.LogoutView.as_view(), name='logout'),
    path('admin/', admin.site.urls),
    path('course/', include('courses.urls')),
]

We need to create the templates for these views. Create the following directories and files inside the templates/ directory of the courses application:

courses/
    manage/
        course/
            list.html
            form.html
            delete.html

Edit the courses/manage/course/list.html template and add the following code to it:

{% extends "base.html" %}

{% block title %}My courses{% endblock %}

{% block content %}
  <h1>My courses</h1>

  <div class="module">
    {% for course in object_list %}
      <div class="course-info">
        <h3>{{ course.title }}</h3>
        <p>
          <a href="{% url "course_edit" course.id %}">Edit</a>
          <a href="{% url "course_delete" course.id %}">Delete</a>
        </p>
      </div>
    {% empty %}
      <p>You haven't created any courses yet.</p>
    {% endfor %}
    <p>
      <a href="{% url "course_create" %}" class="button">Create new course</a>
    </p>
  </div>
{% endblock %}

This is the template for the ManageCourseListView view. In this template, we list the courses created by the current user. We include links to edit or delete each course, and a link to create new courses.

Run the development server using the command python manage.py runserver. Open http://127.0.0.1:8000/accounts/login/?next=/course/mine/ in your browser and log in with a user that belongs to the Instructors group. After logging in, you will be redirected to the http://127.0.0.1:8000/course/mine/ URL and you should see the following page:

This page will display all courses created by the current user.

Let's create the template that displays the form for the create and update course views. Edit the courses/manage/course/form.html template and write the following code:

{% extends "base.html" %}

{% block title %}
  {% if object %}
    Edit course "{{ object.title }}"
  {% else %}
    Create a new course
  {% endif %}
{% endblock %}

{% block content %}
  <h1>
    {% if object %}
      Edit course "{{ object.title }}"
    {% else %}
      Create a new course
    {% endif %}
  </h1>
  <div class="module">
    <h2>Course info</h2>
    <form action="." method="post">
      {{ form.as_p }}
      {% csrf_token %}
      <p><input type="submit" value="Save course"></p>
    </form>
  </div>
{% endblock %}

The form.html template is used for both the CourseCreateView and CourseUpdateView views. In this template, we check whether an object variable is in the context. If object exists in the context, we know that we are updating an existing course, and we use it in the page title. Otherwise, we are creating a new Course object.

Open http://127.0.0.1:8000/course/mine/ in your browser and click the CREATE NEW COURSE button. You will see the following page:

Fill in the form and click the SAVE COURSE button. The course will be saved and you will be redirected to the course list page. It should look as follows:

Then, click the Edit link for the course you have just created. You will see the form again, but this time you are editing an existing Course object instead of creating one.

Finally, edit the courses/manage/course/delete.html template and add the following code:

{% extends "base.html" %}

{% block title %}Delete course{% endblock %}

{% block content %}
  <h1>Delete course "{{ object.title }}"</h1>

  <div class="module">
    <form action="" method="post">
      {% csrf_token %}
      <p>Are you sure you want to delete "{{ object }}"?</p>
      <input type="submit" class"button" value="Confirm">
    </form>
  </div>
{% endblock %}

This is the template for the CourseDeleteView view. This view inherits from DeleteView provided by Django, which expects user confirmation to delete an object.

Open your browser and click the Delete link of your course. You should see the following confirmation page:

Click the CONFIRM button. The course will be deleted and you will be redirected to the course list page again.

Instructors can now create, edit, and delete courses. Next, we need to provide them with CMS to add modules and contents to courses. We will start by managing course modules.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.128.105