# Django 6 - Adding Draft, Security and Comments Functionality

### Add Post Draft Functionality to your Blog

Currently when we're creating new post using the post_new method, the post is published directly. To instead save the post as a draft, remove this line in *blog/views.py* in the post_new method:

In [None]:
post.published_date = timezone.now()

This way, new posts will be saved as drafts that we can review later on rather than being instantly published. Next, we will create the necessary code to list and publish drafts.

First, we will create an icon link to a view that displays the list of post drafts (those blog posts that have been created but have not been published yet). In the file *blog/templates/blog/base.html*, right before the icon to add new posts, add the following line:

In [None]:
<a href="{% url 'post_draft_list' %}" class="top-menu"><span class="glyphicon glyphicon-edit"></span></a>

In *blog/urls.py* add:

In [None]:
url(r'^drafts/$', views.post_draft_list, name='post_draft_list'),

Now we create the corresponding view in *blog/views.py*:

In [None]:
def post_draft_list(request):
    posts = Post.objects.filter(published_date__isnull=True).order_by('-created_date')
    return render(request, 'blog/post_draft_list.html', {'posts': posts})

The first line of the post_draft_list method makes sure we take only unpublished posts and order them in reverse chronological order.

The only piece missing is to create the corresponding template:  *blog/templates/blog/post_draft_list.html*

In [None]:
{% extends 'blog/base.html' %}

{% block content %}
    {% for post in posts %}
        <div class="post">
            <p class="date">created: {{ post.created_date|date:'d-m-Y' }}</p>
            <h1><a href="{% url 'blog.views.post_detail' pk=post.pk %}">{{ post.title }}</a></h1>
            <p>{{ post.text|truncatechars:200 }}</p>
        </div>
    {% endfor %}
{% endblock %}

Finally, run the local version of the server:

Go to http://127.0.0.1:8000/, and add a new post. Notice that because of the changes we made to the the post_new method in the *blog/views.py* file, this post is not going to be automatically published when you click the save button of the new post form. Verify this yourself.

Now, click on the icon we just added to display the list of unpublished posts
![](./images/drafts.png)
or, alternatively you can go directly to the URL (http://127.0.0.1:8000/drafts/) which we have designated to list all the posts created but yet unpublished.  Verify that you can see a list of unpublished posts.

Finally, let's add a publish functionality so we can transition unpublished posts into published posts.

We will add  a button on the blog post detail page that will immediately publish the post.  Open the *blog/template/blog/post_detail.html* file and substitute the following lines:

In [None]:
{% if post.published_date %}
    <div class="date">
        {{ post.published_date }}
    </div>
{% endif %}

for:

In [None]:
{% if post.published_date %}
    <div class="date">
        {{ post.published_date }}
    </div>
{% else %}
    <a class="btn btn-default" href="{% url 'blog.views.post_publish' pk=post.pk %}">Publish</a>    
{% endif %}

With this change we have specified that  if the condition post.published_date  is not fulfilled, then we want to create a button that offers the possibility of publishing the current post. Note that we are passing a pk variable in the {% url %} that identifies a given post (pk is the primary key associated with a post in the Database).

 Now we create a URL (in *blog/urls.py*):

In [None]:
url(r'^post/(?P<pk>\d+)/publish/$', views.post_publish, name='post_publish'),

and a view in *blog/views.py*:

In [None]:
def post_publish(request, pk):
    post = get_object_or_404(Post, pk=pk)
    post.publish()
    return redirect('blog.views.post_detail', pk=pk)

Notice how we are using the method *publish* in the Post model. Check out also how the publish button appears now when you look at a draft of a post.

![](./images/draftPost.png)

Finally, notice also how immediately after publishing the post, the application redirects the user immediately to the post_detail page.

The last bit of work in this section will be to add a button to delete a post. Open the *blog/templates/blog/post_detail.html* file and add the following line under the line the edit button:

In [None]:
<a class="btn btn-default" href="{% url 'post_remove' pk=post.pk %}"><span class="glyphicon glyphicon-remove"></span></a>

Add the following URL in *blog/urls.py*:

In [None]:
url(r'^post/(?P<pk>\d+)/remove/$', views.post_remove, name='post_remove'),

and the following view in *blog/views.py* to remove a post:

In [2]:
def post_remove(request, pk):
    post = get_object_or_404(Post, pk=pk)
    post.delete()
    return redirect('blog.views.post_list')

Every Django model can be deleted with the .delete() method. After deleting a post we want to go to the webpage with a list of posts, so we are using redirect.

Lastly, simply verify that you can delete both published and unpublished posts http://127.0.0.1:8000/post/1/.

![](./images/delete.png)

### Security

You might have noticed that the level of security of our blog application is very primitive. If you go to http://127.0.0.1:8000 in a browser that you have not used to sign into the admin interface http://127.0.0.1:8000/admin, The icons to add, edit, publish or delete a post are missing, But you can still access the page to create a new post http://127.0.0.1:8000/post/new/ even though you cannot save  the post. However, someone could easily remove a post by going to the URL http://127.0.0.1:8000/post/X/remove Where the X stands for any of your post primary keys (PKs). Let's improve our currently deeply flawed security layer.

We will protect our post_new, post_edit, post_draft_list, post_remove and post_publish views so that only logged-in users can access them. Django ships with some nice helpers for that using, an advanced Python topic, called decorators.


A decorator is the name used for a software design pattern. Decorators dynamically alter the functionality of a function, method, or class without having to directly use subclasses or change the source code of the function being decorated. Fortunately, you don't need to worry about the specifics of how they work.  

One of the main advantages of using a web development framework, is that a lot of work has already been done for you. Instead of you having to develop yourself certain Web security features such as authentication, you can use that the framework provides to accomplish those tasks. We will use a decorator built in Django (in the module django.contrib.auth.decorators) called login_required which basically provides the functionality of not letting unauthenticated users to access certain functions in our web applications.

Edit your *blog/views.py* file and add this line at the top along with the rest of the imports:

In [None]:
from django.contrib.auth.decorators import login_required

Then add a line before each of the post_new, post_edit, post_draft_list, post_remove and post_publish views (decorating them) like the following:

In [None]:
@login_required
def post_new(request):
    #The rest of your view goes here

Notice how now if you try to access http://localhost:8000/admin) http://localhost:8000/post/new/ or http://localhost:8000/post/X/remove/ **from a browser where you have not previously log in** through the admin interface you will get an error message.


![](./images/error.png)

The decorator we added before will redirect you to the login page. But that isn't available yet, so it raises a "Page not found.

Now we will take advantage of the authentication functionality provided inbuilt within Django. In the file *mysite/urls.py*, substitute the current content with the following:

In [None]:
from django.conf.urls import patterns, include, url

from django.contrib import admin
admin.autodiscover()

urlpatterns = patterns('',
    url(r'^admin/', include(admin.site.urls)),
    url(r'^accounts/login/$', 'django.contrib.auth.views.login'),
    url(r'', include('blog.urls')),
)

Now we need a template for the login page, create a directory *blog/templates/registration* and a file inside named *login.html*:

In [None]:
{% extends "blog/base.html" %}

{% block content %}

{% if form.errors %}
<p>Your username and password didn't match. Please try again.</p>
{% endif %}

<form method="post" action="{% url 'django.contrib.auth.views.login' %}">
{% csrf_token %}
<table>
<tr>
    <td>{{ form.username.label_tag }}</td>
    <td>{{ form.username }}</td>
</tr>
<tr>
    <td>{{ form.password.label_tag }}</td>
    <td>{{ form.password }}</td>
</tr>
</table>

<input type="submit" value="login" />
<input type="hidden" name="next" value="{{ next }}" />
</form>

{% endblock %}

Thanks to Django inbuilt security functionality, we don't have to deal with encrypting forms submission nor with sanitizing passwords and securing them, it is all taken care of for us. The last bit remaining for us to do  is to add the following setting to *mysite/settings.py*:

now, assuming you have not previously log in through the admin interface (http://127.0.0.1:8000/admin/) if you try to go for instance to http://127.0.0.1:8000/post/new/ or http://127.0.0.1:8000/post/1/remove, you will be redirected, to the previous template where you can input your username and password.

![](./images/login.png)

Obviously, after loging in you should be able to see the icons to add, edit or remove a post.

Finally, let's add some visual feedback to the user to indicate whether the user is logged in or not and to provide functionality to log in and out. In the *blog/templates/blog/base.html* file substitute the entire div of class="page-header", with the following:

In [None]:
<div class="page-header">
    {% if user.is_authenticated %}
    <a href="{% url 'post_new' %}" class="top-menu"><span class="glyphicon glyphicon-plus"></span></a>
    <a href="{% url 'post_draft_list' %}" class="top-menu"><span class="glyphicon glyphicon-edit"></span></a>
    <p class="top-menu">Hello {{ user.username }}<small>(<a href="{% url 'django.contrib.auth.views.logout' %}">Log out</a>)</small></p>
    {% else %}
    <a href="{% url 'django.contrib.auth.views.login' %}" class="top-menu"><span class="glyphicon glyphicon-lock"></span></a>
    {% endif %}
    <h1><a href="{% url 'blog.views.post_list' %}">My Amazing Blog</a></h1>
</div>

Change also the urlpatterns list in *mysite/urls.py* with the following:

In [None]:
urlpatterns = patterns('',
    url(r'^admin/', include(admin.site.urls)),
    url(r'^accounts/login/$', 'django.contrib.auth.views.login'),
    url(r'^accounts/logout/$', 'django.contrib.auth.views.logout', {'next_page': '/'}),
    url(r'', include('blog.urls')),
)

And that's it, you have added a basic layer of security to your application.

### Create comments in our blog

Currently our application has a single model (Post). We can extend our application by adding the functionality of users leaving comments for a specific post. In order to do that we need to create a Comment model.

Open *blog/models.py* and append this piece of code to the end of file in order to create a model for the information contained in a comment.

In [None]:
class Comment(models.Model):
    post = models.ForeignKey('blog.Post', related_name='comments')
    author = models.CharField(max_length=200)
    text = models.TextField()
    created_date = models.DateTimeField(default=timezone.now)
    approved_comment = models.BooleanField(default=False)

    def approve(self):
        self.approved_comment = True
        self.save()

    def __str__(self):
        return self.text

**Notice that we link the Comment model to the Post model through the usage of a foreign key.**

Next, we add our comment model to the database. To do this we have to tell Django that we made changes to our model.

this command created another migration file (0002_comment.py) for us in the *blog/migrations/* directory. Now we need to apply those changes by typing:

Our Comment model exists now in the database. To register the Comment model in the admin panel, go to *blog/admin.py* and import the Comment model at the top of the file:

In [None]:
from .models import Post, Comment

And add the following code at the bottom of the file to register the Comment model and to customize how the entries should display in the admin interface:

In [None]:
class CommentAdmin(admin.ModelAdmin):
    list_display = ['author','post','created_date','approved_comment']


admin.site.register(Comment,CommentAdmin)

If you type python manage.py runserver on the command line and go to http://127.0.0.1:8000/admin/ in your browser, you should have access to the list of comments, and also the capability to add and remove comments.
 
Next, let's make our comments visible. Go to the *blog/templates/blog/post_detail.html* file and add the following lines before the {% endblock %} tag:

In [None]:
<hr>
{% for comment in post.comments.all %}
    <div class="comment">
        <div class="date">{{ comment.created_date }}</div>
        <strong>{{ comment.author }}</strong>
        <p>{{ comment.text|linebreaks }}</p>
    </div>
{% empty %}
    <p>No comments here yet :(</p>
{% endfor %}

Now we can see the comments section on pages with post details. But it could look a little bit better, so let's add some CSS to the bottom of the *static/css/blog.css* file:

We can also let visitors know about comments on the post list page. Go to the *blog/templates/blog/post_list.html* file and add the following line right before the closing div tag with class "post" (i.e right after the line with post.text|linebreaks):

In [None]:
<a href="{% url 'blog.views.post_detail' pk=post.pk %}">Comments: {{ post.comments.count }}</a>

The only task left to do, is to let the readers write comments. In the file *blog/forms.py*, modify the import of the Post model to also include the import of the Comment model:

In [None]:
from .models import Post, Comment

and add the following lines to the end:

In [None]:
class CommentForm(forms.ModelForm):
    class Meta:
        model = Comment
        fields = ('author', 'text',)

Now, go to *blog/templates/blog/post_detail.html* and before the line {% for comment in post.comments.all %}, add:

In [None]:
<a class="btn btn-default" href="{% url 'add_comment_to_post' pk=post.pk %}">Add comment</a>

Next, go to blog/urls.py and add this pattern to urlpatterns:

In [None]:
url(r'^post/(?P<pk>\d+)/comment/$', views.add_comment_to_post, name='add_comment_to_post'),

Add the corresponding view in *blog/views.py*:

In [None]:
from .forms import PostForm, CommentForm

def add_comment_to_post(request, pk):
    post = get_object_or_404(Post, pk=pk)
    if request.method == "POST":
        form = CommentForm(request.POST)
        if form.is_valid():
            comment = form.save(commit=False)
            comment.post = post
            comment.save()
            return redirect('blog.views.post_detail', pk=post.pk)
    else:
        form = CommentForm()
    return render(request, 'blog/add_comment_to_post.html', {'form': form})

And the template *blog/templates/blog/add_comment_to_post.html*:

In [None]:
{% extends 'blog/base.html' %}

{% block content %}
    <h1>New comment</h1>
    <form method="POST" class="post-form">{% csrf_token %}
        {{ form.as_p }}
        <button type="submit" class="save btn btn-default">Send</button>
    </form>
{% endblock %}

and this is it, on the post detail pages, you should see the "Add Comment" button through which users should be able to add comments to posts.

![](./images/button.png)

### Deploying our progress

Let’s upload today’s practical advances to our production server. Once again, from your git console type:

Then, log back in to https://www.pythonanywhere.com/ and go to your Bash console (or start a new one), and run:

Finally, hop on over to the Web tab and hit <font color="green">**Reload** </font> on your web app. Your update should be live!