[Django]-Django Rest Framework custom permission not working

This answer was the right one for me.

It says:

The has_object_permission is not called for list views. The
documentation says the following:

Also note that the generic views will only check the object-level permissions for views that retrieve a single model instance. If you
require object-level filtering of list views, you’ll need to filter
the queryset separately. See the filtering documentation for more
details.

Link to documentation

Note: The instance-level has_object_permission method will only be called if the view-level has_permission checks have already passed.

You need to write the has_permission too in order to make your custom permission works.

Here is the official docs and mentioned it. It should works after you add in has_permission.

As mentioned in the docs, permissions are checked on self.get_object method call.

def get_object(self):
    obj = get_object_or_404(self.get_queryset(), pk=self.kwargs["pk"])
    self.check_object_permissions(self.request, obj)
    return obj

Which basically is all retrieve method does in ModelViewSet

    def retrieve(self, request, *args, **kwargs):
        instance = self.get_object()
        serializer = self.get_serializer(instance)
        return Response(serializer.data)

Whatever it is you do in self.address_service.get_by_id(pk) should either be moved to self.get_object or call self.check_object_permissions(self.request, obj) in retrieve method.

In the basic scenario this is all you need. There’s no need to overwrite retrieve method.

class AddressViewSet(viewsets.ModelViewSet):
    serializer_class = AddressSerializer
    authentication_classes = (TokenAuthentication,)
    permission_classes = [IsAuthenticated, IsOwner]
    queryset = Address.objects.all()