5π
I found out what I had to do. Here is my new permission class:
class LinkAssetPermission(permissions.BasePermission):
message = 'Link access not allowed.'
def has_permission(self, request, view):
try:
content = Content.objects.get(pk=request.parser_context["kwargs"]["content_id"])
except:
return False
return content.delivery.owner == request.user and content.delivery.can_change
def has_object_permission(self, request, view, obj):
return obj.content.delivery.owner == request.user and obj.content.delivery.can_change
On create the method has_object_permission is not considered but the has_permission is. So I retrieve the parameter sent from the urls.py, query and check the properties of the object I want.
Thanks
1π
has_object_permissions() gets called whenever .get_object() method is called in a generic view i.e. a particular resource is being accessed.
Now, all the detail requests (retrieve, update, delete) access a particular resource/object, it works. For create requests, get_object() method does not get called, so it does not work in your case.
For handling create requests, you can create another serializer where there is validations for the above 2 conditions. And then change your permission classes to work for detail requests only.
- [Django]-Unique HTML element IDs for each model with Django
- [Django]-Running manage.py command through Gunicorn
- [Django]-Invalid block tag: 'endblock' django
- [Django]-How to replace or edit the lookup parameter in a django rest framework Router?