Is it possible to direct a user back to the previous page coming from the admin dashboard?
I have an "edit" button, and since the "users" who will be able to edit data are savvy enough, I'd rather just have this direct to a change page in admin.
Here is my link:
<td><i class="icon ion-md-create"></i></td>
Use of ?next= from admin doesn't seem to work. For now I'm just having it opened in a different tab, but I'd like to at least know if there is a direct restriction, or if there's more to it when interacting with admin.
Here's an example:
User goes to /stores/1617/
User clicks "Edit"
"Edit" directs them to /admin/inv/lifesafety/1617/change/?next=/stores/1617
After User submits form, User is directed back to /stores/1617
There's no built-in way to do this, but you can accomplish it another way by overriding the response_change method of the LifeSafety admin class.
from django.shortcuts import redirect
class LifeSafetyAdmin(admin.ModelAdmin):
def response_change(self, request, obj):
next = request.GET.get('next')
if next:
return redirect(next)
return super().response_change(request, obj)
Related
In Django admin, when you are looking at a record there is a button called "history". When you click on this button, it tells you when the record was created and by whom and also each time a field was changed and by whom. I find this extremely useful. However, I noted that these only show up for actions that are done on the admin page. So when I change the record through a view, this is not displayed in that history. Is there an easy way to have my views store this information also so that it will all be visible from the admin page?
Thanks so much in advance for your help.
The admin app comes with a model - LogEntry. Every time you do something in the admin app, there is some code somewhere that saves a LogEntry. This is how the app works. For example in the changeform_view there is something like this:
def changeform_view(self, request, ...):
...
if request.method == "POST":
if all_valid(formsets) and form_validated:
# do some other stuff then
self.log_change(request, new_object, change_message)
def log_change(self, request, object, message):
"""
Log that an object has been successfully changed.
The default implementation creates an admin LogEntry object.
"""
from django.contrib.admin.models import CHANGE, LogEntry
return LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(object).pk,
object_id=object.pk,
object_repr=str(object),
action_flag=CHANGE,
change_message=message,
)
LogEntry.objects.log_action is where the log is created. Unfortunately, this doesn't happen anywhere else, unless you were to make it happen.
There's nothing stopping you from doing this though. You can create a LogEntry wherever you want.
Having said that, it might be a bit confusing since when you see a LogEntry you now no longer no if that is a change that has happened because of someone manually changing some data via the admin app, or a change that has occurred programatically. It would probably be a better idea to create your own Log model, and save logs where and when you want.
You can always display your Logs in your in the relevant admin view should you so wish. Something like this will do the trick:
class MyAdmin(admin.modelAdmin):
readonly_fields = (logs_field,)
def logs_field(self, instance):
logs = Log.objects.filter(object=instance)
return format_html_join(
'\n', "<p>{}: {}</p>",
((log.date, log.message) for log in logs)
)
I want to display the home page of my site based on the user type (admin, guest, student, etc.). It would be nice to display a link to the login page for guest users, but this link should be hidden for already authenticated users. For admins there should be a link to django-admin. Besides that there also some differences in the home page for other user roles.
What is a good way to implement this? I have several options for that:
Create html page for each user role: home_guest.html, home_admin.html, ...
Create a single html page but put some if-clauses inside it like {% if user.is_authenticated %}
You can start with the documentation, using:
from django.contrib.auth.decorators import user_passes_test
def email_check(user):
return user.email.endswith('#example.com')
#user_passes_test(email_check)
def my_view(request):
...
which roughly means that if the user passes the test - provided on the email endswith here - then they will be able to see a view. In my case, I deviated a bit from this and created a
class User(AbstractBaseUser):
status: 1,2 per se, in my model:
student=1
teacher=2
STATUS_CHOICES = ((student, "student"),(teacher, "teacher"),)
status = models.IntegerField(choices = STATUS_CHOICES)
This lets you create an is_status property:
#property
def is_status (self):
return self.status
And then in your login view, you can play along with the properties. If it is 1, display this view, otherwise, display this other one.
I want to allow a user to delete his account and upon deletion, I want the user to be logged out and see a html page account_deleted.html for confirmation.
students/views.py:
def delete_account(request):
user = User.objects.get(username=request.user)
user.delete()
context = {
"deleted_msg": "Account has been deleted",
}
return render(request, "students/account_deleted.html", context) and redirect("students:logout")
For logout, I'm using the built-in LogoutView function. The logout redirect URL in my settings.py is set to my home page.
students/urls.py:
path('logout/', LogoutView.as_view(), name='logout'),
In case of an account deletion, how can I make the delete_account(request) function return a render and redirect at the same time? Is that even possible?
Thanks!
You can log the user out before deleting the account by placing logout(request) before your user.delete() line. You will need to import it with from django.contrib.auth import logout.
As Bruno said in his answer, using a redirect instead of render is preferable after a POST request, and you should update your view to only respond to POST requests.
If you are having trouble with your website crashing after a user is deleted, make sure you are using the proper access control in all your views, eg by using the #login_required decorator or the equivalent mixin on all views that require a user to be logged in. If you do this the user will just be redirected to the login page if he or she is not logged in instead of crashing your site.
First things firsts: your view should 1/ only accept logged in users and 2/ only accept POST requests (you definitely dont want a GET request to delete anything from your database). Also, this:
User.objects.filter(username=request.user)
is useless - you already have the current user in request.user - and potentially dangerous if your auth backend allows for duplicated usernames.
and this:
return render(request, "students/account_deleted.html", context) and redirect("students:logout")
is of course plain wrong. A view returns one single HTTP response, you can't return two (it wouldn't make any sense), and you can't "and" two responses together (well, you can but the result is certainly not what you expect - read the FineManual about the and operator).
The proper solution is to 1/ manually log out the user (cf voodoo-burger's answer), 2/ use the messages framework to inform the user her accont has been deleted, and 3/ redirect to the home page (you ALWAYS want to redirect after a successful post, cf https://en.wikipedia.org/wiki/Post/Redirect/Get for the why).
So I have a a HTML page with a table in it which contains details of a certain model. Each row contains details of a different object. I have a cell for a button as well.
Now, what I want is for the user to be able to click on the button and it should take them to the appropriate page for that particular user that they've clicked on. The way I can do this now is by creating a URL that takes a user_id argument along with a view to redirect it to a template. This url can then be added to the button. However, I don't want the user_id to be shown in the URL (being shown in Inspect Element is okay (as in the row ID)).
This rushed, so sorry. How can I do this?
Is there a way to do it without putting any information whatsoever in the URL?
Thank you!
One way to do this is to send user ids from a POST instead of a GET for getting the user info, when the user clicks the button, you submit a hidden form which contains user_id (which you will update accordingly) and pass it to Django. On this POST call you will wire a render of the page for the user according to the POST parameter you are expecting containing the user id.
You can read the post parameters on a request via:
request.POST.get('user_id')
The downside of this approach is that you won't be able to share the link for a certain user, because the link will only contain the get parameters.
Maybe you can refactor your application to use some kind of SPA framework on the front-end. In this way you can load any content on your current page and the URL never changes if you don't want. Take a look for example at AngularJS or Durandal. Both works well with Django.
You can also solve the problem by using POST instead of GET but in my opinion that's not a very elegant solution because POST requests should be used just when you send data to the server.
If your worried about security I don't think keeping the user_id secret will be effective but if for some other reason you have to do this put it in session and redirect to user page without any parameters.
Put your table inside a form and store the id in an attribute of the button on each row:
<button class="mybutton" data-id="{{ my_object.id }}">view</button>
Put a hidden field at the bottom of your form:
<input type="hidden" id="user_id" name="user_id" />
Javascript:
$("table .mybutton").click(function(e) {
e.preventDefault();
$("#user_id").val($(this).attr("data-id"));
$("#my_form").submit();
});
In your table view:
if request.method == "POST":
request.session["user_id"] = request.POST.get('user_id')
return redirect("user_page")
In your details view:
user_id = request.session["user_id"]
creating urls
If the url is relevant to the user; then use the user_id; e.g. http://example.com/mysite/users/<user_id>/userstuff.
obfuscation is not security.
obfuscation is not a permission scheme.
Other possibilities:
http://example.com/mysite/users/<uniqueusername>/userstuff.
http://example.com/mysite/users/<slug>/userstuff.
http://example.com/mysite/users/<encoded>/userstuff, where encoded is either 2-way encoding, or a field on the user model that is unique.
getting logged in user (request.user)
If the url has nothing to do with the user, but you need to get the authenticated user then read the docs: https://docs.djangoproject.com/en/1.7/topics/auth/default/#authentication-in-web-requests.
def my_view(request):
if request.user.is_authenticated():
# use request.user
else:
# something else
I have gotten Creatview() class based function to work. When the submit succeeds, it has already the data and shows the 'success' page.
I'd like to change this behavior this way: When the CreateView() succeeds, I'd like the data to get validated, but not saved. Instead of going to the success page, I'd like to use the DetailView() class to display the newly created instance, so the user can see how it is going to look like when the data is eventually saved..
Once the user is happy with the data displayed, the user can click "save" in which case the data is saved and the CreateView() is completed or the user can click "re-edit", and go back to the form to change the data and then be shown the newly created instance using DetailView() (and repeat until the user is satisfied). What is the best way to do this using class based views elegantly?
from django.views.generic.edit import CreateView
from restaurant.models import Restaurant
from restaurant.forms import RestaurantForm
import uuid
class RestaurantCreate(CreateView):
form_class = RestaurantForm
template_name = 'restaurant_form.html'
model = Restaurant
def form_valid(self, form):
form.instance.created_by = self.request.user
form.instance.life_id = str(uuid.uuid1())
return super(RestaurantCreate, self).form_valid(form)
Also, I do know about Form wizard, but I do not have multiple page forms. Even if I ignore that, Form wizard's does not give the opportunity to preview data before the final save.
Edit: Related discussion on google groups, but no solutions
Here's what I should do:
Overwrite the form_valid method of the RestaurantCreate class and let the save the form in a session. From there you can redirect to another view , your RestaurentDetail view, there you would overwrite the get_object method by reading out the form out of the session and displaying what you need.
There I would also place a form with all fields hidden, except the submit/save button. The form will be populated by whatever was in your session. So when the user presses save a POST is done to another view RestaurantFinalCreate view for example. There you can just implement the CreateView as normal.
If you're uncertain which method to overwrite and how, take a look at: http://ccbv.co.uk/ it has been really helpful to me.
Also don't use super in the form_valid method of the RestaurantCreate view since that would trigger a save in the parent class ModelFormMixin.