Set current user as update object, require login

* Instead of setting the `model` property on the UpdateView class, adds
a get_object method which returns the current user. This prevents any
user from editing another user's data.
* Adds the LoginRequiredMixin to the ProfileConfigureView to limit
access to authenticated users.
parent c038eac5
......@@ -10,6 +10,7 @@ from password_reset.views import Recover
from .serializers import UserSerializer
from .forms import PasswordRecoveryForm, PasswordChangeForm, \
ProfileConfigureForm
from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.auth.views import PasswordChangeView \
as BasePasswordChangeView
from django.contrib.auth.views import PasswordChangeDoneView \
......@@ -67,13 +68,13 @@ class PasswordChange(BasePasswordChangeView):
return context
class ProfileConfigureView(UpdateView):
class ProfileConfigureView(LoginRequiredMixin, UpdateView):
template_name = 'purist/profile_configure.html'
form_class = ProfileConfigureForm
success_url = reverse_lazy('profile')
model = User
slug_field = 'username'
slug_url_kwarg = 'username'
def get_object(self, queryset=None):
return self.request.user
def get_context_data(self, **kwargs):
context = super(ProfileConfigureView, self).get_context_data(**kwargs)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment