[Fixed]-DjangoRestFramework – object level permission not being allowed for some reason (has_permission and has_object_permission)

by

1πŸ‘

A detail_route request or POST request won’t reach the has_object_permission. Only PUT, PATCH, DELETE will reach has_object_permission

So try:

def has_permission(self, request, view):
    if request.user.is_authenticated() and view.action=='follow':
        return True
    return request.method in permissions.SAFE_METHODS or request.user.is_staff

def has_object_permission(self, request, view, obj):
    return request.method in permissions.SAFE_METHODS or request.user.is_staff

this will allow:

  • unauthenticated users to readonly
  • authenticated users to readonly & follow
  • admin can perform any request
πŸ‘€Anush Devendra

Leave a comment