Django REST drf-nested-routers does not trigger permission check

Question

I'm using drf-nested-routers with ModelViewSets. Everything works fine, however, permissions checks on an resource/object are not being executed.

When dealing with a single resource/un-nested url, the permission checks get executed.

Is there something that I am missing?

class CommentViewSet(viewsets.ModelViewSet):
    permission_classes = [IsAuthenticated,
                      permissions.CanCreateEditViewDeleteComment]

    def get_serializer_class(self, *args, **kwargs):
        return CommentSerializer

    def list(self, request, article_pk=None):
        queryset = Comment.objects.select_related('article','user').filter(article=article_pk).prefetch_related('likes')

        page = self.paginate_queryset(queryset)
        if page is not None:
            serializer = self.get_serializer(page, many=True)
            return self.get_paginated_response(serializer.data)

        serializer = self.get_serializer(queryset, many=True)
        return Response(serializer.data)

     def retrieve(self, request, pk=None, article_pk=None):
         queryset = Comment.objects.select_related('article', 'user').filter(pk=pk, article=article_pk).prefetch_related(
        'likes')
         comment = get_object_or_404(queryset, pk=pk)
         serializer = self.get_serializer(comment)
         return Response(serializer.data)

Answer 1

Okay, so after browsing the docs, there is a way to call permission checks manually.

enter link description here

If you're writing your own views and want to enforce object level permissions, or if you override the get_object method on a generic view, then you'll need to explicitly call the .check_object_permissions(request, obj) method on the view at the point at which you've retrieved the object.

Here is a code example:

def get_object(self):
    obj = get_object_or_404(self.get_queryset())
    self.check_object_permissions(self.request, obj)
    return obj