DEVHIDE
Login Or Sign up

How to restrict so that the author of the post can only see and edit his posts

213 Views Asked by At

In this code only the author of the post can edit his post, but how to also make so that the author of the post can see only his posts?

from rest_framework import permissions


class IsAuthorOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user.is_authenticated:
            return True
        return False

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        return obj.author == request.user

Please add a link to useful reading materials

My views.py:

class TaskList(generics.ListCreateAPIView):
# permission_classes = (IsAuthorOrReadOnly,)
queryset = Task.objects.all()
serializer_class = TaskSerializer

class TaskDetail(generics.RetrieveUpdateDestroyAPIView):
# permission_classes = (IsAuthorOrReadOnly,)
queryset = Task.objects.all()
serializer_class = TaskSerializer
python-3.x django django-rest-framework django-views django-rest-framework-permissions
Original Q&A
1

There are 1 best solutions below

6
On BEST ANSWER

If you want the author to see his posts, you can simply restrict all users from accessing the object. Like this:

from rest_framework import permissions


class IsAuthorOrReadOnly(permissions.BasePermission):
    def has_permission(self, request, view):
        if request.user.is_authenticated:
            return True
        return False

    def has_object_permission(self, request, view, obj):
        return obj.author == request.user

Now, regardless of any types of request methods, only the author can access the object.

But if you have a list view and you do not want the author to see other posts, you can try like this:

class TaskList(generics.ListCreateAPIView):
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

class TaskDetail(generics.RetrieveUpdateDestroyAPIView):
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

Or combine them in a viewset:

class TaskViewSet(viewsets.ModelViewSet):
    """
    A simple ViewSet for viewing and editing tasks.
    """
    permission_classes = [IsAuthenticated,]
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

    def get_queryset(self):
        return super().get_queryset().filter(author=self.request.user)

More information can be found in documentation

Related Questions in PYTHON-3.X

Related Questions in DJANGO

Related Questions in DJANGO-REST-FRAMEWORK

Related Questions in DJANGO-VIEWS

Related Questions in DJANGO-REST-FRAMEWORK-PERMISSIONS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.