1

I am making a simple bbs in Django.

At the moment, I am trying to make it possible to delete a post in front-end.

This is my code in views.py

@login_required
def delete_post(request, id):
    post_to_delete = get_object_or_404(Post, pk=id)

    if post_to_delete.owner_user != request.user:
        return HttpResponseForbidden()

    if request.method == 'POST':
        form = DeletePostForm(request.POST, instance=post_to_delete)
        if form.is_valid():
            post_to_delete.delete()

            return HttpResponseRedirect('/') 
    else:
        form = DeletePostForm(instance=post_to_delete)

    return render(request,'delete_post.html', {'form':form})

I believe I am using the .delete() function correctly and when I click my delete button, I am taken to the delete_post.html but when i go back to check the list of posts in admin, the post is still there..

Dan
  • 369
  • 6
  • 20
  • you need to check that you call to form.is_valid() is returning True. If you dont know, you can see the errors using form.errors And also, I dont know why are you using a Form to perfom a Delete, just passing the post id to the view and getting it, you can delete it. – levi Aug 05 '14 at 22:26
  • http://stackoverflow.com/a/13644671 I saw it here.. it tells me to use form to avoid csrf attack. – Dan Aug 05 '14 at 22:30
  • You dont need use forms to avoid csrf attacks, because Django handle it for you, you can check how it works: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#unprotected-view-needs-the-csrf-token – levi Aug 05 '14 at 22:32
  • Just to make sure, if I add @csrf_protect on top of my def delete_post, I will get automatic csrf protection? – Dan Aug 05 '14 at 22:42
  • https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/ – petkostas Aug 05 '14 at 22:42
  • @Dan you dont need to add it, Django do it for you. – levi Aug 05 '14 at 22:44
  • When you click delete, you be taken to your homepage `'/'` not `delete_post.html`. as @levi said, check that `form.is_valid()` is true – Ben Aug 06 '14 at 00:07

1 Answers1

0

Ok, after explain to you that you dont need a form to delete a instance. Let me give to you a versión without use a form. 

@login_required
def delete_post(request, id):
    post_to_delete = get_object_or_404(Post, pk=id)

    if post_to_delete.owner_user != request.user:
        return HttpResponseForbidden()

    if request.method == 'POST':   
        post_to_delete.delete()
        return render(request,'delete_post.html', {'deleted':True})

    return render(request,'delete_post.html', {'deleted':False})

You can use deleted var as you wish in your template.

levi
  • 22,001
  • 7
  • 73
  • 74
  • I implemented exactly what you wrote but without checking if request was a POST.. somehow this does not work.. I guess I will figure that out later – Dan Aug 06 '14 at 07:37
  • @Dan You should check if is a POST because Delete is a POST action, its a good practice. Remember, GET requests is for retrieving info from your app, POST requests is for modifying it. – levi Aug 06 '14 at 13:16