I scratch my head to understand why the has_object_permission
bellow has no effect, because the documentation says that this method should be executed with get_object
. What could be the reason ?
@permission_classes([HasViewObjectPermission])
class IndividualDetailsView(RetrieveAPIView):
serializer_class = IndividualSerializer
lookup_url_kwarg = "pk"
def get_object(self):
pk = self.kwargs.get(self.lookup_url_kwarg)
return Individual.objects.get(pk=pk)
class HasViewObjectPermission(permissions.BasePermission):
def has_object_permission(self, request, view, obj):
return False
CodePudding user response:
It looks like you're using the Django Rest Framework. DRF does support Object-Level Permissions, but if you override the get_object
method you must manually call the check_object_permissions
method.
From the DRF documentation:
If you're writing your own views and want to enforce object level permissions, or if you override the get_object method on a generic view, then you'll need to explicitly call the .check_object_permissions(request, obj) method on the view at the point at which you've retrieved the object.