views:

215

answers:

3

I am using the delete() function from django.contrib.comments.views.moderation module. The staff-member is allowed to delete ANY comment posts, which is completely fine. However, I would also like to give registered non-staff members the privilege to delete their OWN comment posts, and their OWN only. How can I accomplish this?

+1  A: 

If you want to mark the comment as deleted, just as django.contrib.comments.views.moderation.delete() does:

from django.contrib.auth.decorators import login_required
from django.contrib.comments.models import Comment
from django.shortcuts import get_object_or_404
from django.conf import settings
from django.contrib import comments

@login_required
def delete_own_comment(request, message_id):
    comment = get_object_or_404(comments.get_model(), pk=message_id,
            site__pk=settings.SITE_ID)
    if comment.user == request.user:
        comment.is_removed = True
        comment.save()
Luper Rouch
I like to use Http404 in this case as it reveals little about your system if someone is mucking with URLs. `if comment.user != request.user: raise Http404`You can also use `get_object_or_404` to retrieve the comment which makes more sense than a 500 error if a bad message_id is sent in the URL.
Joe Holloway
The above mentioned example almost works. I should have said that I wanted the comments to be flagged for deletion instead of actually deleting the comments. To do that, it seems like I need to send a POST request. How do I sent a POST request as opposed to a GET?
RaDeuX
You don't need to send a POST, you can just mimic what the `comments` view does ; see edit.
Luper Rouch
Okay, that's almost what I was looking for. All I have to do is make the HTTP_REFERER to be loaded up again instead of the debug page. Would render_to_response be best for that?
RaDeuX
HttpResponseRedirect did the job. Thanks for your help.
RaDeuX
You should also be careful to ensure that this isn't vulnerable to XSRF.
Paul Fisher
A: 

While this is a little late can't you do the same thing similarly in the template?

{% if user == comment.user %}
  <a href="{% url comments-delete comment.id %}">delete comment</a> 
{% endif %}

This uses django's comments URL:

url(r'^delete/(\d+)/$',  'moderation.delete',           name='comments-delete'),
tsoporan
I thought about this too. However, that delete function requires the user to have the delete comment permission. If I give every normal user the permission to delete any comment, I would have a serious security issue.
RaDeuX
A: 

I just ran into this problem.

Just re-implementing the logic in comments app's delete view would couple your implementation to that specific version of the comments app. For example the comment app actual also handles signals when you mark something as deleted and the provided version doesn't do that.

Fortunately the comments app provides a function which implement the core delete logic with out any permissions. Using it ties yourself to the internal details, but it does so in a very specific way which will either break or work, it won't ever half work. You can create your own view with its own security model and then call the provided comment app function (from django.contrib.comments.views.moderation import perform_delete)

The code would look something like this:

@login_required
def delete_my_comment(request, comment_id, next=None):
    comment = get_object_or_404(comments.get_model(), pk=comment_id)
    if comment.user == request.user:
        if request.method == "POST":
            perform_delete(request, comment)
            return redirect("your_view", comment.content_object.id)
        else:
            return render_to_response('comments/delete.html',
                                      {'comment': comment, "next": next},
                                      RequestContext(request))
    else:
        raise Http404

You details will vary base on your use case.

I have gone through a few variations (which you can see in this comment's history), and I think this one is better in all ways than the original solution offered here.

amjoconn