Fix review creation to properly handle unauthorized product reviews

Yosef-AlSabbah · Yosef-AlSabbah · commit c0ce5406c0d4 · 2025-06-09T15:15:04.000+03:00
diff --git a/shop/models.py b/shop/models.py
@@ -156,8 +156,13 @@ class Meta:
 
     def save(self, *args, **kwargs):
         from django.core.exceptions import ValidationError
-        if not self.product.order_items.filter(order__user=self.user).exists():
+
+        # Allow skipping validation when saving from view (where validation already happened)
+        skip_validation = kwargs.pop('skip_validation', False)
+
+        if not skip_validation and not self.product.order_items.filter(order__user=self.user).exists():
             raise ValidationError("You can only review products you have purchased.")
+
         super().save(*args, **kwargs)
 
     def __str__(self):
diff --git a/shop/views.py b/shop/views.py
@@ -121,8 +121,18 @@ def perform_create(self, serializer):
         product_slug = self.kwargs.get('product_slug')
         try:
             product = get_object_or_404(Product, slug=product_slug)
+
+            # Check if user has purchased this product before saving
+            if not product.order_items.filter(order__user=self.request.user).exists():
+                from django.core.exceptions import ValidationError
+                raise ValidationError("You can only review products you have purchased.")
+
             serializer.save(product=product)
             logger.info("Review created for product slug: %s by user id: %s", product_slug, self.request.user.id)
+        except ValidationError as e:
+            logger.error("Validation error creating review for product slug: %s: %s", product_slug, e)
+            from rest_framework.exceptions import PermissionDenied
+            raise PermissionDenied(detail=str(e.message))
         except Exception as e:
             logger.error("Error creating review for product slug: %s: %s", product_slug, e, exc_info=True)
             raise
