DRF Object level permissions check for single field

Question

How do you add permissions to a model so that any user can add a new instance, but only a logged in user can add a particular attribute?

Django models.py:

class Ingredient(models.Model):
    name = models.CharField(max_length=100, unique=True)
    recipes = models.ManyToManyField(Recipe, related_name='ingredients', blank=True)

DRF views.py:

class IngredientViewSet(viewsets.ModelViewSet):
    queryset = Ingredient.objects.all()
    serializer_class = IngredientSerializer
    permission_classes = (IsUserForRecipeOrBasicAddReadOnly,)

DRF permissions.py:

class IsUserForRecipeOrBasicAddReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow logged in users to add an ingredient AND associate its recipe(s).
    """
    message = 'You must be logged in to add an Ingredient to a Recipe.'

    # using this method so I can access the model obj itself
    def has_object_permission(self, request, view, obj):
        # Read permissions are allowed to any request,
        if request.method in permissions.SAFE_METHODS:
            return True

        # Check if we are creating, and if the recipes are included, and if they are not a user.  If so, return False
        if request.method == 'POST' and obj.recipes.all().count() > 0 and request.user.is_anonymous:
            return False
        else:
            return True

I see the appropriate calls/prints to the custom permission class, but I can still make a POST request with a list of recipe id's and it does not error with the message.

Notes -

• I am getting two POST requests, both with the same information/print statements, and then a third to the GET (once it is added, it shows the newly created instance - which is correct behavior, but I don't know why two POSTs are going through)

Answer 1

I think a better approach would be to use 2 different serializer(one of them hase Recipes as a writable field and the other does not), then override get_serializer_class:

class yourMOdelviewset():
    ...
    ...
    def get_serializer_class(self):
        if self.action == 'create':
            if self.request.user.is_authenticated:
                return SerializerThatHasRecipesAsAWriteableField
            else:
                return SerializerThatHasNot
        return super().get_serializer_class()

p.s. Drf uses object level permission for retrieving or updating (basically there should be an object already), since in create there is no object yet, drf never checks the object level permission.

Answer 2

The solution proposed by @changak is a good one. Including this as a more direct solution to the question posed. In DRF, has_object_permission is explicitly for an object already in the database, but you can use has_permission. From the docs, this excerpt explains why you don't see has_object_permission being called:

Note: The instance-level has_object_permission method will only be called if the view-level has_permission checks have already passed.

In has_permission, you still have access to the data, and can add a check. Assuming your IngredientSerializer has a recipes field, you can check with something like this:

class IsUserForRecipeOrBasicAddReadOnly(permissions.BasePermission):
    """
    Custom permission to only allow logged in users to add an ingredient AND associate its recipe(s).
    """
    message = 'You must be logged in to add an Ingredient to a Recipe.'

    def has_permission(self, request, view):
        if view.action != 'create':
            # Handle everything but create at the object level.
            return True

        if not request.data.get('recipes'):
            return True

        return request.user and request.user.is_authenticated()