Prometheus
Reputation: 33655
DRF permission not taking effect
The following permission is not taking effect IsOwnerOrReadOnly I can don't understand why:
class PermissionMixin(object):
"""
API Permission Mixin.
Permission checks authentication information in the request.user and request.auth
properties to determine if the incoming request should be permitted.
"""
permission_classes = [Or(permissions.IsAdminUser, TokenHasReadWriteScope), And (IsOwnerOrReadOnly)]
I want IsAdminUser or TokenHasReadWriteScope user to be permitted, but always check they are the owner IsOwnerOrReadOnly.
class IsOwnerOrReadOnly(permissions.BasePermission):
"""
Custom permission to only allow owners of an object to edit it.
"""
def has_object_permission(self, request, view, obj):
# Read permissions are allowed to any request,
# so we'll always allow GET, HEAD or OPTIONS requests.
if request.method in permissions.SAFE_METHODS:
return True
# Write permissions are only allowed to the owner of object.
return obj.user == request.user
Upvotes: 0
Views: 385
Answers (1)
AdelaN
Reputation: 3536
I think the right way to set the permission is:
permission_classes = [And(Or(permissions.IsAdminUser, TokenHasReadWriteScope), IsOwnerOrReadOnly)]
Tell me if this works.
Upvotes: 2
Related Questions
- Django DRF: @permission_classes not working
- Passing variable to permission class in DRF gives an error
- Django's DRF has_object_permission method not called with get_object
- Custom permissions in django isn't working
- DRF custom check_permission not being called
- Custom object level DRF permission not working
- DRF Custom Permission is not firing
- DRF Custom permission
- DRF : Custom permission denied message
- DRF Custom Permission not blocking the view