[Django]-What's the differences between has_object_permission and has_permission?

We have following two permission methods on BasePermission class:

• def has_permission(self, request, view)
• def has_object_permission(self, request, view, obj)

Those two different methods are called for restricting unauthorized users for data insertion and manipulation.

has_permission is called on all HTTP requests whereas, has_object_permission is called from DRF’s method def get_object(self). Hence, has_object_permission method is available for GET, PUT, DELETE, not for POST request.

In summary:

• permission_classes are looped over the defined list.
• has_object_permission method is called after has_permission method returns value True except in POST method (in POST method only has_permission is executed).
• When a False value is returned from the permission_classes method, the request gets no permission and will not loop more, otherwise, it checks all permissions on looping.
• has_permission method will be called on all (GET, POST, PUT, DELETE) HTTP request.
• has_object_permission method will not be called on HTTP POST request, hence we need to restrict it from has_permission method.

has_permission() is a method on the BasePermission class that is used to check if the user has permission to perform a certain action on the entire model. For example, you might use it to check if a user has permission to view a list of all objects of a certain model.

has_object_permission() is a method on the BasePermission class that is used to check if the user has permission to perform a certain action on a specific instance of the model. For example, you might use it to check if a user has permission to view, update or delete a specific object of a certain model.

For example, you might have a Book model and a User model in your application. You could use has_permission() to check if a user has permission to view a list of all books, while you use has_object_permission() to check if a user has permission to view, update or delete a specific book.

class IsBookOwnerOrAdmin(permissions.BasePermission):
    def has_permission(self, request, view):
       # Check if the user is authenticated
       if not request.user.is_authenticated:
          return False
       # Allow access for superusers
       if request.user.is_superuser:
           return True
       # Allow access if the user is the owner of the book
       if request.method in permissions.SAFE_METHODS:
           return True
       return False

   def has_object_permission(self, request, view, obj):
       # Allow access for superusers
       if request.user.is_superuser:
           return True
       # Allow access if the user is the owner of the book
       return obj.owner == request.user

I think this can help:

class IsAuthorOrReadOnly(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        # Read-only permissions are allowed for any request
        if request.method in permissions.SAFE_METHODS:
            return True
        # Write permissions are only allowed to the author of a post
        return obj.user == request.user

As far as I can see, you are not adding your custom permission to the class as an argument.

This is your code:

class StudentUpdateAPIView(RetrieveUpdateAPIView):
    serializer_class = StudentCreateUpdateSerializer
    queryset = Student.objects.all()
    lookup_field = 'pk'
    permissions_classes = [IsAuthenticatedAndOwner]

But it should be:

class StudentUpdateAPIView(RetrieveUpdateAPIView, IsAuthenticatedAndOwner):
    serializer_class = StudentCreateUpdateSerializer
    queryset = Student.objects.all()
    lookup_field = 'pk'
    permissions_classes = [IsAuthenticatedAndOwner]

Note the custom permission IsAuthenticatedAndOwner as an argument in the class header.

PS: I hope this helps, I am a beginner in DRF but this is one of the things I just learned.