3👍
✅
You can write a custom permission for the AlbumSerializer to do the check:
class CustomerAccessPermission(permissions.BasePermission):
message = 'You can only add your photos!'
def has_permission(self, request, view):
if view.action == 'create':
for photo in request.POST.get('photos'):
if not Photo.objects.filter(id=photo['id'], owner=request.user).exists():
return False
return True
or maybe better with only one db query:
class CustomerAccessPermission(permissions.BasePermission):
message = 'You can only add your photos!'
def has_permission(self, request, view):
if view.action == 'create':
user_photos = Photo.objects.filter(owner=request.user).values_list('id', flat=True)
for photo in request.POST.get('photos'):
if not photo['id'] in user_photos:
return False
return True
Source:stackexchange.com