Reputation: 59
Custom Permissions in Django Rest Framework
I have this get View that I want to check IsOwner Permission.
Permission Class
class IsOwnerVendor(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
print(f"Vendor Email:{obj.vendor_id.email}")
print(f"Loggon user:{obj.vendor_id.email}" )
return obj.vendor_id.email == request.user
this is my object Model
class Menu(models.Model):
name = models.CharField(max_length=100)
description = models.CharField(max_length=500)
price = models.FloatField()
quantity = models.IntegerField(default=1)
menu_cat = models.CharField(choices=MENU_CAT, max_length=5)
date_created = models.DateTimeField(auto_now_add=True)
last_edited = models.DateTimeField(auto_now=True)
vendor_id = models.ForeignKey(Vendor, on_delete=models.CASCADE)
is_recurring = models.BooleanField(default=False)
recurring_freq = models.IntegerField(default=1)
Vendor Model
class Vendor(models.Model):
user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE, blank=True, null=True)
business_name = models.CharField(max_length=100)
email = models.EmailField()
phone_number = PhoneField(help_text='Vendor phone number')
registered_on = models.DateTimeField(auto_now_add=True)
last_updated = models.DateTimeField(auto_now=True)
def __str__(self):
return self.business_name
and this is my view
class MenuDetailView(generics.GenericAPIView):
permission_classes = [IsOwnerVendor | IsOwnerVendor]
def get_serializer_class(self):
if self.request.method == 'PUT':
return MenuUpdateSerializer
elif self.request.method == 'GET':
return MenuListSerializer
else:
return MenuListSerializer
def get_object(self, pk):
try:
obj = Menu.objects.get(pk=pk, )
self.check_object_permissions(self.request, obj)
return obj
except Menu.DoesNotExist:
raise Http404
@method_permission_classes((IsOwnerVendor,))
def get(self, request, pk, format=None):
my_menu = self.get_object(pk=pk)
menu_serializer = MenuListSerializer(my_menu)
return Response(menu_serializer.data, status=status.HTTP_200_OK)
When I try to access the view, I always get the error below
{
"detail": "You do not have permission to perform this action."
}
I have read the DRF doc and I still cannot pinpoint where my issue lies.
I also printed the Permission checkers on the console and saw that it was supposed to return true.
Upvotes: 0
Views: 341
Answers (1)
Reputation: 7717
The main point is you should let has_object_permission method return True, you can try:
return obj.vendor_id.email == request.user.email or
return obj.vendor_id.user == request.user, if this still not work, you can print log or set breakpoint to see why this method return False.Remember to restart you localserver before you next test.
Upvotes: 2
Related Questions
- how to add custom permissions and role based in django rest framework
- Django Rest Framework custom permissions per view
- django rest model permissions
- How to make a Custom Permission django-rest
- Django Rest Framework: Custom IsReadOnly Permission
- How can I write my own permissions in django
- DRF Custom permission
- How to add permissions in Django Rest Framework for specific requests
- Django rest framework permissions
- django-rest-framework : setting per user permissions