Indeed, using the GET method to delete your objects makes you vulnerable to CSRF attacks .
DeleteView only deletes the POST and shows the confirmation page in GET.
Your code should look something like this: views.py :
from django.views.generic import DeleteView class PostDelete(DeleteView): model = Post success_url = reverse_lazy('posts.views.all_posts')
In urls.py :
url(r'^delete/(?P<pk>\d+)/$', PostDelete.as_view(), name='entry_delete'),
Your form (without using a confirmation template. The documents have an example of a confirmation template):
<form action="{% url 'entry_delete' object.pk %}" method="post"> {% csrf_token %} <input type="submit" value="Delete" /> </form>
If you are not using a confirmation template, be sure to specify the action form attribute on DeleteView ( thatโs why ).
For the user to delete the message, this is the user to whom it belongs. I like to use mixins . Assuming your Post model has a created_by foreign key pointing to User , you can write mixin as:
from django.core.exceptions import PermissionDenied class PermissionMixin(object): def get_object(self, *args, **kwargs): obj = super(PermissionMixin, self).get_object(*args, **kwargs) if not obj.created_by == self.request.user: raise PermissionDenied() else: return obj
Finally, your DeleteView should inherit from this mixin:
class PostDelete(PermissionMixin, DeleteView): model = Post success_url = reverse_lazy('posts.views.all_posts')