JaqiKal
commented
6 months ago Solution is
- Implement checks to ensure that only the owner of a book can view, update, or delete it.
- Add conditional checks for
request.user.is_authenticatedinBookDetailView,BookUpdateView, andBookDeleteViewto raiseHttp404if unauthorized access is attempted. - Refactor
get_querysetmethods to return user-specific book lists. - Correct error messages to inform users when they lack the required permissions.
- Include custom error pages (403, 404, 500) to handle unauthorized access or internal server errors.
Problem: Users who are not the creators of a book can access and edit any book by directly navigating to its edit URL, bypassing permission checks.
Encountered: During early testing (ET)
Can it be Reproduced: Yes it is reproducable.
Impact: Well....let's say that this is bad, very bad.
Possible Solution: Implement permission checks to ensure that only the creator (or an admin) can edit or view the book edit page.