Set current user as update object, require login

* Instead of setting the `model` property on the UpdateView class, adds a get_object method which returns the current user. This prevents any user from editing another user's data. * Adds the LoginRequiredMixin to the ProfileConfigureView to limit access to authenticated users.

Set current user as update object, require login
* Instead of setting the `model` property on the UpdateView class, adds a get_object method which returns the current user. This prevents any user from editing another user's data. * Adds the LoginRequiredMixin to the ProfileConfigureView to limit access to authenticated users.
7e190174 · Jack Ketcham · c038eac5 · 7e190174
Verified Commit 7e190174 authored May 15, 2019 by Jack Ketcham
--- a/purist/views.py
+++ b/purist/views.py
@@ -10,6 +10,7 @@ from password_reset.views import Recover
 from .serializers import UserSerializer
 from .forms import PasswordRecoveryForm, PasswordChangeForm, \
    ProfileConfigureForm
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.auth.views import PasswordChangeView \
    as BasePasswordChangeView
 from django.contrib.auth.views import PasswordChangeDoneView \
@@ -67,13 +68,13 @@ class PasswordChange(BasePasswordChangeView):
        return context


-class ProfileConfigureView(UpdateView):
+class ProfileConfigureView(LoginRequiredMixin, UpdateView):
    template_name = 'purist/profile_configure.html'
    form_class = ProfileConfigureForm
    success_url = reverse_lazy('profile')
-    model = User
-    slug_field = 'username'
-    slug_url_kwarg = 'username'
+
+    def get_object(self, queryset=None):
+        return self.request.user

    def get_context_data(self, **kwargs):
        context = super(ProfileConfigureView, self).get_context_data(**kwargs)