Allowing users to delete their own comments in Django
Question:
I am using the delete() function from django.contrib.comments.views.moderation module. The staff-member is allowed to delete ANY comment posts, which is completely fine. However, I would also like to give registered non-staff members the privilege to delete their OWN comment posts, and their OWN only. How can I accomplish this?
Answers:
If you want to mark the comment as deleted, just as django.contrib.comments.views.moderation.delete() does:
from django.contrib.auth.decorators import login_required
from django.contrib.comments.models import Comment
from django.shortcuts import get_object_or_404
from django.conf import settings
from django.contrib import comments
@login_required
def delete_own_comment(request, message_id):
comment = get_object_or_404(comments.get_model(), pk=message_id,
site__pk=settings.SITE_ID)
if comment.user == request.user:
comment.is_removed = True
comment.save()
While this is a little late can’t you do the same thing similarly in the template?
{% if user == comment.user %}
<a href="{% url comments-delete comment.id %}">delete comment</a>
{% endif %}
This uses django’s comments URL:
url(r'^delete/(d+)/$', 'moderation.delete', name='comments-delete'),
I just ran into this problem.
Just re-implementing the logic in comments app’s delete view would couple your implementation to that specific version of the comments app. For example the comment app actual also handles signals when you mark something as deleted and the provided version doesn’t do that.
Fortunately the comments app provides a function which implement the core delete logic with out any permissions. Using it ties yourself to the internal details, but it does so in a very specific way which will either break or work, it won’t ever half work. You can create your own view with its own security model and then call the provided comment app function (from django.contrib.comments.views.moderation import perform_delete)
The code would look something like this:
@login_required
def delete_my_comment(request, comment_id, next=None):
comment = get_object_or_404(comments.get_model(), pk=comment_id)
if comment.user == request.user:
if request.method == "POST":
perform_delete(request, comment)
return redirect("your_view", comment.content_object.id)
else:
return render_to_response('comments/delete.html',
{'comment': comment, "next": next},
RequestContext(request))
else:
raise Http404
You details will vary base on your use case.
I have gone through a few variations (which you can see in this comment’s history), and I think this one is better in all ways than the original solution offered here.
Since you’re using if request.method == 'POST':, in your HTML, you need to send it through a form, something like this:
<form action = "{% url 'comments-delete' %}" method = "POST">
{% csrf_token %}
<input type="hidden" name="comment_id" value="{{ comment.id }}"/>
<input type="hidden" name="blogs_id" value="{{ blogs.id }}"/>
<button>Delete</button>
</form>
views.py:
def delete_comment(request):
id = request.POST['comment_id']
pk = request.POST['blogs_id']
if request.method == 'POST':
comment = get_object_or_404(Comment, id=id, pk=pk)
try:
comment.delete()
messages.success(request, 'You have successfully deleted the comment')
except:
messages.warning(request, 'The comment could not be deleted.')
return redirect('get_posts')
urls.py
path('delete/comment/', delete_comment, name='delete_comment'),
(Using Django 2)
I am using the delete() function from django.contrib.comments.views.moderation module. The staff-member is allowed to delete ANY comment posts, which is completely fine. However, I would also like to give registered non-staff members the privilege to delete their OWN comment posts, and their OWN only. How can I accomplish this?
If you want to mark the comment as deleted, just as django.contrib.comments.views.moderation.delete() does:
from django.contrib.auth.decorators import login_required
from django.contrib.comments.models import Comment
from django.shortcuts import get_object_or_404
from django.conf import settings
from django.contrib import comments
@login_required
def delete_own_comment(request, message_id):
comment = get_object_or_404(comments.get_model(), pk=message_id,
site__pk=settings.SITE_ID)
if comment.user == request.user:
comment.is_removed = True
comment.save()
While this is a little late can’t you do the same thing similarly in the template?
{% if user == comment.user %}
<a href="{% url comments-delete comment.id %}">delete comment</a>
{% endif %}
This uses django’s comments URL:
url(r'^delete/(d+)/$', 'moderation.delete', name='comments-delete'),
I just ran into this problem.
Just re-implementing the logic in comments app’s delete view would couple your implementation to that specific version of the comments app. For example the comment app actual also handles signals when you mark something as deleted and the provided version doesn’t do that.
Fortunately the comments app provides a function which implement the core delete logic with out any permissions. Using it ties yourself to the internal details, but it does so in a very specific way which will either break or work, it won’t ever half work. You can create your own view with its own security model and then call the provided comment app function (from django.contrib.comments.views.moderation import perform_delete)
The code would look something like this:
@login_required
def delete_my_comment(request, comment_id, next=None):
comment = get_object_or_404(comments.get_model(), pk=comment_id)
if comment.user == request.user:
if request.method == "POST":
perform_delete(request, comment)
return redirect("your_view", comment.content_object.id)
else:
return render_to_response('comments/delete.html',
{'comment': comment, "next": next},
RequestContext(request))
else:
raise Http404
You details will vary base on your use case.
I have gone through a few variations (which you can see in this comment’s history), and I think this one is better in all ways than the original solution offered here.
Since you’re using if request.method == 'POST':, in your HTML, you need to send it through a form, something like this:
<form action = "{% url 'comments-delete' %}" method = "POST">
{% csrf_token %}
<input type="hidden" name="comment_id" value="{{ comment.id }}"/>
<input type="hidden" name="blogs_id" value="{{ blogs.id }}"/>
<button>Delete</button>
</form>
views.py:
def delete_comment(request):
id = request.POST['comment_id']
pk = request.POST['blogs_id']
if request.method == 'POST':
comment = get_object_or_404(Comment, id=id, pk=pk)
try:
comment.delete()
messages.success(request, 'You have successfully deleted the comment')
except:
messages.warning(request, 'The comment could not be deleted.')
return redirect('get_posts')
urls.py
path('delete/comment/', delete_comment, name='delete_comment'),
(Using Django 2)