Home > Software engineering >  Django's DRF has_object_permission method not called with get_object
Django's DRF has_object_permission method not called with get_object

Time:12-23

I scratch my head to understand why the has_object_permission bellow has no effect, because the documentation says that this method should be executed with get_object. What could be the reason ?

@permission_classes([HasViewObjectPermission])
class IndividualDetailsView(RetrieveAPIView):
    serializer_class = IndividualSerializer
    lookup_url_kwarg = "pk"

    def get_object(self):
        pk = self.kwargs.get(self.lookup_url_kwarg)
        return Individual.objects.get(pk=pk)


class HasViewObjectPermission(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        return False

CodePudding user response:

It looks like you're using the Django Rest Framework. DRF does support Object-Level Permissions, but if you override the get_object method you must manually call the check_object_permissions method.

From the DRF documentation:

If you're writing your own views and want to enforce object level permissions, or if you override the get_object method on a generic view, then you'll need to explicitly call the .check_object_permissions(request, obj) method on the view at the point at which you've retrieved the object.

  • Related