Reputation: 2011
Deleting a resource only if the DELETE request is by the resource's owner in django-tastypie
I am using django-tastypie have a CommentResource in my api.py. I now want to restrict it's behaviour such that if a DELETE request is sent, the comment gets deleted only if the DELETE request is sent by the user who wrote this comment.
So, I have to override the method delete_detail. But the signature of this method seems different here and here, specifically the arguments that the method takes. One takes self, object_list, bundle while the other takes self, request, **kwargs. Please explain what these individual parameters mean and what signature should my method have along with the answer.
Upvotes: 0
Views: 194
Answers (1)
Reputation: 47876
1. delete_detail(self, request, **kwargs)
Resource.delete_detail(self, request, **kwargs)
This method destroys a single resource/object.
It calls obj_delete. If the resource is deleted, it returns HttpNoContent (204 No Content). If the resource did not exist, return HttpNotFound (404 Not Found).
It has request as a argument and also a kwargs dictionary.
2. delete_detail(self, object_list, bundle):
This is used when implementing your own authorization class.
This method takes two parameters, object_list & bundle.
object_list is the collection of objects being processed as part of the request. FILTERING & other restrictions to the set will have already been applied prior to this call.
bundle is the populated Bundle object for the request.
As per the docs,
In the case of the *_detail methods, you’ll have access to the object_list (so you know if a given object fits within the overall set), BUT you’ll want to be inspecting bundle.obj & either returning True if they should be allowed to continue or raising the Unauthorized exception if not.
Raising Unauthorized will cause a HTTP 401 error status code in the response.
This method is used for authorization. Here, you will return True if it is authorized to continue else raise an exception.
This is different from the former as there you are deleting an object/instance but here you are authorizing and verifying what someone can do with the resources in your API.
Since in your own case, the comment gets deleted only if the DELETE request is sent by the user who wrote this comment you need to use the 2nd method. Users are authorized to delete only their comments and not of others. object_list here will be Comments of that user after filtering from all the comment objects.
Upvotes: 1
Related Questions
- How to check in Django template if user has delete permission?
- Deleting objects in django tastypie
- Allow a user to only delete his own comments with tastypie
- DELETEing a resource in tastypie
- Can I disallow delete queries on all instances of a resource in tastypie?
- How do I Delete related resources with TastyPie
- Django+Tastypie: Deleting only a couple of objects
- Tasypie, how to prevent modification on a resource linked by a ForeignKey
- Tastypie - How can authorize only the owner to edit a resource
- Users can only update and delete objects tied to their account with tastypie