CODEWITHSUNDEEP
pythondjangodjango-rest-framework
billyjacoby
billyjacoby

Reputation: 71

Django Rest Framework ListCreateAPIView not checking has_object_permissions?

I've been trying to figure this out for almost a full day now, and I can't seem to figure out why has_object_permission method isn't called when the ListCreateAPIView is called in DRF. I've tried all the solutions I could find, but according to the docs check_object_permissions is called in this class already.

I know it has to be something stupid I'm missing. Code snippets are below, please help!

views.py:

from accountability.models import AccountabilityItem
from accountability.serializers import AccountabilityItemSerializer
from rest_framework import generics
from .permissions import InGroup

class AccountabilityItemListCreate(generics.ListCreateAPIView):
    queryset = AccountabilityItem.objects.all()
    serializer_class = AccountabilityItemSerializer
    permission_classes = (InGroup,)

permissions.py:

from rest_framework import permissions


class InGroup(permissions.BasePermission):
    """
    Custom permission to only allow owners of an object to edit it.
    """
    def has_object_permission(self, request, view, obj):
        print('Checking for object')
        return False

Another note, I've added the has_permission method to the permissions.py file, and this method runs all the time no matter what.

Thanks!

Upvotes: 4

Views: 1077

Answers (1)

Linovia
Linovia

Reputation: 20976

Calling has_object_permission doesn't make sense for lists. It is intended for single instances.

What you want is to filter your list of objects so it only leaves those for which the user has some permissions. DjangoObjectPermissionsFilter does it but requires django-guardian. You might get a similar result but creating your own filtering class (sources for DjangoObjectPermissionsFilter)

Upvotes: 3

Related Questions