From effe016b577f0dbdcedbc42b1f8d8217f90ffc39 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=AD=C3=B0ir=20Valberg=20Gu=C3=B0mundsson?=
 <valberg@orn.li>
Date: Fri, 10 Aug 2018 18:46:35 +0200
Subject: [PATCH] Ensure only the creator of the ride can edit and delete it.

---
 src/rideshare/views.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/rideshare/views.py b/src/rideshare/views.py
index 19e4ef31..94305103 100644
--- a/src/rideshare/views.py
+++ b/src/rideshare/views.py
@@ -1,5 +1,5 @@
 from django.contrib import messages
-from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
 from django.urls import reverse
 from django.views.generic import (
     ListView,
@@ -73,10 +73,15 @@ class RideCreate(LoginRequiredMixin, CampViewMixin, CreateView):
         return HttpResponseRedirect(self.get_success_url())
 
 
-class RideUpdate(LoginRequiredMixin, CampViewMixin, UpdateView):
+class IsRideOwnerMixin(UserPassesTestMixin):
+    def test_func(self):
+        return self.get_object().user == self.request.user
+
+
+class RideUpdate(LoginRequiredMixin, CampViewMixin, IsRideOwnerMixin, UpdateView):
     model = Ride
     fields = ['location', 'when', 'seats', 'description']
 
 
-class RideDelete(LoginRequiredMixin, CampViewMixin, DeleteView):
+class RideDelete(LoginRequiredMixin, CampViewMixin, IsRideOwnerMixin, DeleteView):
     model = Ride