Django REST Framework view permissions not called

Question

I am trying to create a custom permission for my view that allow read and write permissions to the owner of the model in the QuerySet but do not allow any permission/request to other users or un-authenticated ones.

Source: https://www.django-rest-framework.org/tutorial/4-authentication-and-permissions/

View:

class My_classListCreateAPIView(generics.ListCreateAPIView):
    queryset = Model.objects.all()
    serializer_class = ModelSerializer
    permission_classes = [IsModelOwner]

Permission:

class IsModelOwner(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        # Permissions are only allowed to the owner of the model and admins.
        if request.user.is_staff == True:
            return True
        return obj.owner == request.user

unfortunately it seems that my view is not even calling my custom permission class. (I imported it etc.) If instead of my custom permission class, I use a default one like permissions.isAuthenticatedOrReadOnly that works instead. What am I missing here?

Thanks.

Answer 1

The has_object_permission method is only called on objects, not on querysets, what this means is that on a list request it won't be called.

Your view only has list and create endpoints, neither of those use the object_permissions, use has_permission instead.

However i believe what you want to do is actually use the isAuthenticated permission combined with a modified get_queryset in your view

class My_classListCreateAPIView(generics.ListCreateAPIView):
    queryset = Model.objects.all()
    serializer_class = ModelSerializer
    permission_classes = [isAuthenticated]

    def get_queryset(self):
        return Model.objects.filter(owner=self.request.user)