Geek Answers Handbook

Django rest framework ignores has_object_permission

I am trying to restrict access to objects for users. Only creators should modify objects. For this, as the textbook says, I wrote

class IsOwnerOrReadOnly(permissions.BasePermission): def has_object_permission(self, request, view, obj): return False

and added it to class permissions. But any user can change any object. If I add a method

  def has_permission(self, request, view): return False

no one can do anything. Thus, all behavior is controlled by a single has_permission method, which does not provide any way to process permissions for a single object. So am I doing something wrong? Here is the request handler code

 class ProblemsHandler(APIView): permission_classes = ( IsOwnerOrReadOnly, permissions.IsAuthenticatedOrReadOnly, ) def pre_save(self, request, problem): problem.author = request.user def get_object(self, request, pk, format): try: problem = ProblemsModel.objects.get(pk=pk) serializer = ProblemsSerializer(problem) return Response(serializer.data, status=HTTP_200_OK) except ProblemsModel.DoesNotExist: raise Http404 def get_list(self, request, format): problems = ProblemsModel.objects.all() serializer = ProblemsSerializer(problems, many=True) return Response(serializer.data, status=HTTP_200_OK) def get(self, request, pk=None, format=None): if pk: return self.get_object(request, pk, format) else: return self.get_list(request, format) def post(self, request, format=None): serializer = ProblemsSerializer(data=request.DATA) if serializer.is_valid(): self.pre_save(request, serializer.object) serializer.save() return Response(serializer.data, status=HTTP_201_CREATED) else: return Response(serializer.errors, status=HTTP_400_BAD_REQUEST) def put(self, request, pk, format=None): try: problem = ProblemsModel.objects.get(pk=pk) serializer = ProblemsSerializer(problem, data=request.DATA) if serializer.is_valid(): self.pre_save(request, serializer.object) serializer.save() return Response(serializer.data, status=HTTP_200_OK) else: return Response(serializer.errors, status=HTTP_400_BAD_REQUEST) except ProblemsModel.DoesNotExist: raise Http404 def delete(self, request, pk, format=None): try: problem = ProblemsModel.objects.get(pk=pk) problem.delete() return Response(status=HTTP_204_NO_CONTENT) except ProblemsModel.DoesNotExist: raise Http404
+6
source share
1 answer

object rights checks are performed by DRF in the APIView.check_object_permissions method.

Since you are not using GenericAPIView , you define your own get_object method, and you need to call check_object_permissions yourself. Since you are using get_object incorrectly, you need to check for GET (single), PUT and DELETE

 self.check_object_permissions(self.request, obj)

Perhaps a better look at the general concepts of DRF , as your use case looks just like them. Normally get_object should only return an object and check permissions.

+17
source

More articles:


All Articles