Django rest framework add extra context in response - django

I am using a updateapiview to the update my user information. This is my view
class UserUpdateView(generics.UpdateAPIView):
serializer_class = UserUpdateSerializer
def get_queryset(self):
print(self.kwargs['pk'])
return User.objects.filter(pk=self.kwargs['pk'])
def partial_update(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data, partial=True)
if self.get_object() != request.user:
return Response({'error': 'permission denied'}, status=status.HTTP_400_BAD_REQUEST)
print(request.data['password'])
request.data['password'] = make_password(request.data['password'])
instance = super(UserUpdateView, self).partial_update(request, *args, **kwargs)
return instance
This is my serializer
class UserUpdateSerializer(serializers.ModelSerializer):
email = serializers.EmailField(required=True)
def validate_username(self, username):
if User.objects.filter(username=username):
raise serializers.ValidationError('Username already exists!!')
return username
def validate_email(self, email):
if User.objects.filter(email=email):
raise serializers.ValidationError('Email already exists!!')
return email
class Meta:
model = User
fields = ('pk', 'username', 'password', 'email')
read_only_fields = ('pk',)
I am getting the data updated and returned successfully. But I want to add some field like message with content 'successfully updated' on successful updation of the user profile. I searched if there is any way to perform this but can't find the appropriate way to do it (alike get_context_data method in django). So, is there any way to perform the above task ??
Question 2:
How to prevent the self user ( i.e if has a email sample#gmail.com and if user clicks udpate with the same email, it should not raise an error that username already exists, I guess this can be done with self.instance (but not sure how actually to implement it).
Thanks!


I'm not sure what version of DRF you are using but in the latest 3.9.0 UpdateAPIView uses UpdateModelMixin, which returns Response object instead of instance. So you can modify data before returning.
def partial_update(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data, partial=True)
if self.get_object() != request.user:
return Response({'error': 'permission denied'}, status=status.HTTP_400_BAD_REQUEST)
print(request.data['password'])
request.data['password'] = make_password(request.data['password'])
response = super(UserUpdateView, self).partial_update(request, *args, **kwargs)
response.data['message'] = 'Successfully updated'
return response
Regarding your second question you can exclude the current user using self.instance.
def validate_email(self, email):
if User.objects.filter(email=email).exclude(id=self.instance.id).exists():
raise serializers.ValidationError('Email already exists!!')
return email

Related

django rest framework RetrieveUpdate

I'm now making user profile update API using drf with RetreiveUpadteAPIView
there is one question that i can't figure out what the solution is.
This is what i want. I wanna update password and update other user data once for all.
changing password is worked as well as i supposed but other user datas (nick_name', 'wannabe', 'profile_img') are not save on DB through this logic below.
When i do self.object.set_password(), self.object.save() first and then do perform_update after. then user datas are well updated on DB. but password is saved without hashed even if i do set_password which is make the password hashed.
How can i fix it..
your best regard
Here is my code below.
#views.py
#permission_classes([IsAuthenticated])
class UpdatePartialUserView(RetrieveUpdateAPIView):
queryset = User.objects.all()
serializer_class = UserProfileSerializer
def get_object(self):
queryset = self.filter_queryset(self.get_queryset())
obj = queryset.get(pk=self.request.user.id)
self.check_object_permissions(self.request, obj)
return obj
def retrieve(self, request, *args, **kwargs):
serializer = UserSerializer(request.user)
return Response(status=status.HTTP_200_OK, data = serializer.data)
def update(self, request, *args, **kwargs):
partial = kwargs.pop('partial', False)
self.object = self.get_object()
serializer = self.get_serializer(request.user, data = request.data, partial=partial)
# serializer = self.get_serializer(self.object, data = request.data, partial=partial)
if not serializer.is_valid(raise_exception=True):
return Response(status=status.HTTP_409_CONFLICT, data = {'message':serializer.errors})
self.perform_update(serializer=serializer)
#make password hashed
self.object.set_password(request.data['password'])
self.object.save()
return Response(status=status.HTTP_202_ACCEPTED, data={"message": "success!"})
#serializers.py
class UserProfileSerializer(serializers.ModelSerializer):
password = serializers.CharField(write_only=True, required=True)
password2 = serializers.CharField(write_only=True, required=True)
old_password = serializers.CharField(write_only=True, required=True)
profile_img = serializers.ImageField(use_url=True, required = False)
def validate(self, attrs):
if attrs.get('password') != attrs.get('password2'):
raise serializers.ValidationError({
"password" : "passwords are not paired."})
return attrs
def validate_old_password(self, value):
#check user
request = self.context.get('request')
if request and hasattr(request, "user"):
user = request.user
if not user.check_password(value):
raise serializers.ValidationError({
"old_password" : "Old password is not correct."
})
return value
class Meta:
model = User
fields = ['nick_name', 'wannabe', 'old_password', 'password', 'password2', 'profile_img']

I think something like that should work.
def update(self, request, *args, **kwargs):
partial = kwargs.pop('partial', False)
self.object = self.get_object()
serializer = self.get_serializer(request.user, data = request.data, partial=partial)
if not serializer.is_valid(raise_exception=True):
return Response(status=status.HTTP_409_CONFLICT, data = {'message':serializer.errors})
self.object.set_password(new_password)
self.object.update(
nick_name=serializer.data["nickname"],
wannabe=serializer.data["wannabe"],
profile_img=serializer.data["profile_img"],
)
self.object.save()
return Response(status=status.HTTP_202_ACCEPTED, data={"message": "success!"})

form.is_valid () always returns False in Django

I got a strange bug. I am failing validation if I add an email field. If validation for only 1 username field, then everything works fine. Tell me please, what am I doing wrong?
file forms.py:
class UserUpdateForm(forms.ModelForm):
email = forms.EmailField(required=False)
def __init__(self, user, *args, **kwargs):
self.user = user
super(UserUpdateForm, self).__init__(*args, **kwargs)
if 'label_suffix' not in kwargs:
kwargs['label_suffix'] = '*'
self.fields['username'].widget = forms.TextInput(attrs={'class':'input-text'})
self.fields['email'].widget = forms.EmailInput(attrs={'class':'input-text'})
class Meta:
model = User
fields = ("username","email",)
file views.py:
def get_context_data(self, request):
self.object = get_object_or_404(Profile,slug=self.kwargs['slug'])
ctx={}
ctx['UserUpdateForm']=UserUpdateForm(request.POST if "UserUpdateForm" in request.POST else None,instance=request.user)
сtx['comments']=Comments.objects.filter(profile=self.object)
return ctx
def post(self, request, *args, **kwargs):
if request.method=='POST':
if "UserUpdateForm" in request.POST:
form=UserUpdateForm(request.POST)
if form.is_valid():
user=User.objects.get(username=self.request.user)
user.username=form.cleaned_data.get('username')
user.email=form.cleaned_data.get('email')
user.save()
obj=Profile.objects.get(user__username=user.username)
return HttpResponseRedirect(reverse_lazy('profile',kwargs={'slug': obj.slug},))
return render(request,self.template_name,self.get_context_data(request))

You construct your form with an extra parameter user:
class UserUpdateForm(forms.ModelForm):
def __init__(self, user, *args, **kwargs):
# …
so that means that the first parameter when you construct the form is the user. You thus should pass a user:
form=UserUpdateForm(request.user, request.POST)
or if you want to edit the user object:
form=UserUpdateForm(request.user, request.POST, instance=request.user)
it however does not make much sense to pass the user, since as far as one can see, you never use the .user attribute in your form.

I want to force change password on first login Django Rest

I have a custom User model with field is_resetpwd as a boolean field with default value True
I want that to change to False when the password is changed, following is my password change view
class ChangePasswordView(APIView):
"""
An endpoint for changing password.
"""
serializer_class = ChangePasswordSerializer
model = User
permission_classes = (IsAuthenticated,)
def get_object(self, queryset=None):
obj = self.request.user
# print("obj", obj)
return obj
def post(self, request, *args, **kwargs):
self.object = self.get_object()
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
# Check old password
if not self.object.check_password(serializer.data.get("old_password")):
return Response({"old_password": ["Wrong password."]}, status=status.HTTP_400_BAD_REQUEST)
# set_password also hashes the password that the user will get
self.object.set_password(serializer.data.get("new_password"))
self.object.save()
response = {
'message': 'Password updated successfully',
}
return Response(response)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
what should I add in this to change my boolean value

Just before save() add this
self.object.is_resetpwd = False
and then save the objects just like before
The updated code will look like this
"""
An endpoint for changing passwords.
"""
serializer_class = ChangePasswordSerializer
model = User
permission_classes = (IsAuthenticated,)
def get_object(self, queryset=None):
obj = self.request.user
# print("obj", obj)
return obj
def post(self, request, *args, **kwargs):
self.object = self.get_object()
serializer = self.serializer_class(data=request.data)
if serializer.is_valid():
# Check old password
if not self.object.check_password(serializer.data.get("old_password")):
return Response({"old_password": ["Wrong password."]}, status=status.HTTP_400_BAD_REQUEST)
# set_password also hashes the password that the user will get
self.object.set_password(serializer.data.get("new_password"))
self.object.is_resetpwd = False
self.object.save()
response = {
'message': 'Password updated successfully',
}
return Response(response)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

Owner of the data and superuser should only be able to update the data using CBV

This is my UpdateView. As i have just started django. I am a newbie
views.py
#method_decorator(login_required, name='dispatch')
class ProductUpdateView(UpdateView):
fields = ('product_name', 'product_cost')
model = Product
def form_valid(self, form):
product = get_object_or_404(Product, pk=self.object.pk)
user = self.request.user
if user == product.created_by or user.is_superuser:
pass
else:
raise Http404() #I tried this but it didn't work
I have created a superuser and a user. Superuser should be able to update all the product of both his and everyone else's but user should be only be able to update his product only.
urls.py
urlpatterns = [
url(r'^product/(?P<pk>\d+)/update/$',
login_required(ProductUpdateView.as_view()), name='product_update'),
]
I have a created a product using superuser, which has pk = 1. When i login with some user (Which not superuser) and visit the above url. This user is able to update superuser's product.
models.py
class Product(models.Model):
product_name
product_cost # This two fields and created_by
created_by = models.ForeignKey(
User, on_delete=models.CASCADE, related_name="Product", null=True)
Is there any way that own of the data can update that data and if user tries to access someone else's data it should Http404.

#method_decorator(login_required, name='dispatch')
class ProductUpdateView(UpdateView):
fields = ('product_name', 'product_cost')
model = Product
def user_passes_test(self, request):
if request.user.is_authenticated or request.user.is_superuser:
self.object = self.get_object()
return self.object.user == request.user
return False
def dispatch(self, request, *args, **kwargs):
if not self.user_passes_test(request):
return redirect('someview')
return super(ProductUpdateView, self).dispatch(
request, *args, **kwargs)
i have created a function to check the logged in user is superuser and logged in or not, then passing the object instance to check if it belongs to the user or not

Try doing this as #Exprator did.
def user_passes_test(self, request):
if request.user.is_authenticated:
self.object = self.get_object()
return self.object.created_by == request.user
return False
def dispatch(self, request, *args, **kwargs):
if request.user.is_superuser:
return super(RemitterUpdateView, self).dispatch(request, *args, **kwargs)
elif not self.user_passes_test(request):
return redirect("remitter_search")
return super(RemitterUpdateView, self).dispatch(request, *args, **kwargs)

How to pass request to django form?

How to pass request to django form?
I am creating a django update profile form where user could change profile email. I want to check if email in form belongs to logged user if not then I want to check if this email is used by others users before setting it as new users email.
Here is my code and this self.request.user.email doesn't work:
def clean_email(self):
email = self.cleaned_data.get("email")
owns_email = (email != self.request.user.email)
if User.objects.filter(email__icontains=email).exists() and owns_email:
raise forms.ValidationError("This email aldready registered.")
return email
So maybe there is better solution to solve my problem?

Since you are using a cbv, you can use the get_form_kwargs function from the FormMixin.
It could look something like this:
class UserProfileUpdateView(UpdateView):
...
def get_form_kwargs(self):
'''This goes in the Update view'''
kwargs = super(UserProfileUpdateView, self).get_form_kwargs() #put your view name in the super
user = self.request.user
if user:
kwargs['user'] = user
return kwargs
Then your form class would look something like this, based on your above code:
class UserProfileUpdateForm:
...
def __init__(self, *args, **kwargs):
if kwargs.get('user'):
self.user = kwargs.pop('user', None)
super(UserProfileUpdateForm, self).__init__(*args,**kwargs)
def clean_email(self):
email = self.cleaned_data.get("email")
owns_email = (email != self.user.email)
if User.objects.filter(email__icontains=email).exists() and owns_email:
raise forms.ValidationError("This email already registered.")
return email

The form doesn't have the Request object. You need to manually pass the currently logged in user in the constructor. Your form should look something like this:
class UserProfileForm(forms.Form):
user = None
def __init__(self, *args, **kwargs):
self.user = kwargs.pop('user')
super(UserProfileForm, self).__init__(*args, **kwargs)
...
def clean_email(self):
email = self.cleaned_data['email']
owns_email = (email != self.user.email)
if User.objects.filter(email__icontains=email).exists() and owns_email:
raise forms.ValidationError('This email already registered.')
return email
...
Instantiating the form in the view:
def edit_profile(request):
form = UserProfileForm(user=request.user)
...