Custom authorization restriction in django view
I have an app. The app has users, posts, comments to post etc(it's kinda blog). The task is to limit users from editing objects, that do not belong to the user. Like User can not edit posts made by another one(or comments). I want to write a decorator for it in order to authorize user's actions. So i did, but now i got an error
ValueError: The view blog.views.wrapper didn't return an HttpResponse object. It returned None instead.
My code:
def authorize(func):
def wrapper(*args, **kwargs):
if kwargs.get('post_id'):
instance = get_object_or_404(Post, id=kwargs.get('post_id'))
if not args[0].user.id == instance.author_id:
return redirect(
'blog:post_detail', post_id=kwargs.get('post_id')
)
kwargs.update({'instance': instance})
elif kwargs.get('comment_id'):
instance = get_object_or_404(Comment, id=kwargs.get('comment_id'))
if not args[0].user.id == instance.author_id:
return redirect(
'blog:post_detail', post_id=kwargs.get('post_id')
)
kwargs.update({'instance': instance})
func(*args, **kwargs)
return wrapper
@login_required
@authorize
def edit_post(request, post_id, instance=None):
instance = get_object_or_404(Post, id=post_id)
form = PostForm(request.POST or None, instance=instance)
context = {'form': form}
if form.is_valid():
form.save()
return render(request, 'blog/create.html', context)
What am i doing wrong?
so i need to return func(*args, **kwargs)