1
For your views method edit_invoice, use @login_required decorator.
In the method you would raise 403 error:
from django.core.exceptions import PermissionDenied
def edit_invoice(request, pk):
invoice = Invoice.objects.get(pk=pk)
if invoice.user != request.user:
raise PermissionDenied
See django docs about @login_required.
Also see django doc about PermissionDenied.
Edit:
Yea having a “does not exist” makes more sense. The most common one is to raise 404 exception, as if user is visiting a url that doesn’t exist:
from django.http import Http404
raise Http404
Source:stackexchange.com