Umut Çağdaş Coşkun
Reputation: 1472
How to use object level permissions with APIView?
I have a permission class that checks if the obj.account is equal to request.user.profile.account:
class IsOwner(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return request.user.profile.account == obj.account
And this is the my view:
class ContactDetailView(APIView):
permission_classes = (IsOwner, )
def get(self, request, pk, format=None):
contact = get_object_or_404(Contact, pk=pk)
serializer = ContactSerializer(contact)
return Response(
serializer.data,
)
But I don't get permission error. It returns the contact data with no problem.
Where is my mistake?
Upvotes: 3
Views: 2801
Answers (1)
neverwalkaloner
Reputation: 47364
You need to call check_object_permissions method before response:
class ContactDetailView(APIView):
permission_classes = (IsOwner, )
def get(self, request, pk, format=None):
contact = get_object_or_404(Contact, pk=pk)
serializer = ContactSerializer(contact)
self.check_object_permissions(request, contact)
return Response(
serializer.data,
)
Note that generic view classes already call it by default. But since you are not using RetrieveAPIView you need to do it manually.
Upvotes: 8
Related Questions
- DjangoModelPermissions is not working for view level permission in my API application
- How to set permissions per handler function with APIView?
- Django REST framework object level permissions
- Django Rest Framework custom permissions per view
- How to check_object_permissions on @api_view functions?
- How to access variables in an API view from my permission class in Django Rest Framework?
- Django Admin permissions applied on REST API views
- Rest framework permission for specific view
- django rest framework object permission
- Django REST framework: help on object level permission